Analysis
-
max time kernel
123s -
max time network
102s -
platform
windows11-21h2_x64 -
resource
win11-20250410-en -
resource tags
arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system -
submitted
02/05/2025, 10:00
Static task
static1
Behavioral task
behavioral1
Sample
Thorium.exe
Resource
win10v2004-20250410-en
Behavioral task
behavioral2
Sample
Thorium.exe
Resource
win11-20250410-en
General
-
Target
Thorium.exe
-
Size
302KB
-
MD5
4a94c74790129bc41d75fe0c1bf5f351
-
SHA1
a5540af8fbaad2656afb3a7b76c42a50b5bbc366
-
SHA256
1fb147e3aaf58a990e163b1f14d80130a9817f8fcfa53a34ba48e983136b1e50
-
SHA512
9787fe4cffeaf150845cfe989aa6eac504cfa00d4911d7069be5fb3dca6052531b5cfafe1734b288856818e11cd331345f5f884477f566e23aa6ddf94ad8fc07
-
SSDEEP
3072:zKhJM9JdZ5usnvivd9vN3LaRHVbe7ufTxrr++U/e8mmmmmmmmmmmmmmmmmmmmmmR:zKE51nvivXvEVRUdzWE3
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "䑐凮眊칪舱\uf709\ueeb8鯿䈴띢ᆬ䫖ꋉ褰꾴闦轑ㄷ깈" Thorium.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "\u3130⟘耆\uf268䐋᳒⇁\ue6b2క저\uebcf쿛㵛" Thorium.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 64 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}\ComponentID = "ꏷส捔ꊉ脱妙Ⱡ샟ꐬ\ua8de젰䦫㶠" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}\ = "䟄愄慷㯑볣⼦\uef3f戶탪\ue285" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\Version = "륚⭤峳㾃ᴇ\ueddf䕩郍兕撄늎逘\ueb67ﰝ喢掖돓濪焮\ue06eሧ赈좐" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\DontAsk = "\ue478͕͝ꗐ\ua7ce\ue148ꝢሐḐ\uf5ef▘㤵풂梀" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3853CC31-559E-32A7-B749-89E04145A139}\ComponentID = "䚂䣆螱٘ꎋ땽畮鶢ಞΩ羚⃚㯀" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}\ComponentID = "赑\uf7ba\uf4e4ᗅ쀾⢘ռ⬐⸠磜誰ᶻ笁₷射뛉뮭\ue6e9담ꩩݸ엦" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\LocalizedName = "ꐣ湪❑弔됝䀠厜\uf2c9ࠬ㰊" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}\ComponentID = "嵢Ῠ펾⽗찴ಝ竫考\uf395됕岯ࢩ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089}\Locale = "礬扞⦑䌟繥\ueb4f랲뒽왘쥔眻讷位圥\U000b7df2\uee82돱ㅶ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}\Version = "㛾惖⮐뗥紛ﰖ噘倝⾅㊟✁笢\U0004fd00\U000ba102镵" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}\Version = "컨ꏣ\u1a9d鐇磱ഩキ楷\uefdbޒ\uf2d8뇣䪶漢\uef31㔋춷翇\uec71攕矯ꎢꖭ럧" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\LocalizedName = "쪆銹͕냻찒鮩\ue95f啍脈Ĕ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3853CC31-559E-32A7-B749-89E04145A139}\Locale = "ϖ铈쁭⽐羲氮쳵ퟲⓤ켈鋒\uf129扣얐㴝냗䔥\uedbe⠑" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}\IsInstalled = "\uf678뷣磫㿍鶼☮鼔\ue84fՒ嗍" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Version = "\ued17贲촒⩆ꏩ롬ℍ뺌\U0003466b" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}\Locale = "䚄⎉\ue5c3界ꄾ橕뻇麺뢛ㅶ\uf6e4阸䷯㼨▃" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Locale = "孤\uf814ᩨ్뵣狡쾹틁द\ue2a0ꃵ鍥ừഎ딈⬡鼀蔐纥\uab1dﴠ闎⑷" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE4BC71D-A88B-4943-BB3D-AF9C0E7D4387}\Locale = "Ꭶ雥⽈ꗊ⏵禷ΐ枹䜆ꭢ槵" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}\ = "ꆥ䴄ᕼ툺怔픉䕇輲ᅈꞽ◵\uec57ꖙ䤨ᙙ٩尓銍⎂䱲" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6EADE66-0000-0000-484E-7E8A45000000}\ComponentID = "\ue5dd\uf897\ue36a\U0010e363맾岒\uf619姽쾟屵툝\uf0b7" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23A20C3C-2ADD-4A80-AFB4-C146F8847D79}\Version = "仭鐖⃛踩ສ높⺾㵎䫚팉១㉬駁" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\Locale = "\ue7dd\ue438ࣥ焮\uf3ccʎ\U000cafb3堀云蒿" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Version = "⫷\ue2f0쬨礵原妿鈴鈷\U000c1088捉쩼團ꆋ㫿Ⴁ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25FFAAD0-F4A3-4164-95FF-4461E9F35D51}\ComponentID = "痎\U0007486f\uf7c4羚\U0007b8af謇ꪙ\ue4ff" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}\Version = "⭗鬈꥟텗\U000bafdb言綧靈\uefe6\uf518뫇奫츍즰\ue172" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5}\Locale = "Ꝭ\U000e3b96뮢筈싞\ue105偤쯥蚊슅" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6BAF60B-6E91-453F-BFF9-D3789CFEFCDD}\ComponentID = "耶垗ﹷꜞ븾멲뗹玶ﶇ㱒竘㷿着\U000670d7" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}\IsInstalled = "𤋮\ue75a⸬\U0006de43⦧讆堀샸ࠢ袜ᦥ썁洛᧗㛩䕱" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Enabled = "棚ྼ䏼\U000f3135\u2ef7쫍\ue90a鎍狹" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}\ = "뚢簦䀋ꝭ懭뾆汹暒\ue07e즓\U00044bcc浖Ⓓ玛\ueac8穀\U0006b922褼㩨밸敏푮" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6BAF60B-6E91-453F-BFF9-D3789CFEFCDD}\Locale = "ᾼ絚쳑퇢垤\uf53e娶㮝ሊ뀦纤篞\ue177\U000df9d4\ue779쵱淟" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}\Locale = "殶\ue228앝༂랎ꎴ䷁쬘銘\uf854齁\ue26dᛌげ皚鼻" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\Version = "飐⡊ړ긞‟尺䧪꽠숄ᯮ\uf312╆맇驞洸" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Locale = "ﳷߒ䀡ミ\ued7a栀\uefcc댊甗쯔" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\ComponentID = "鳍餢ﭴ\uef28难\ued7bἅ\ue5eb놽㎸⇠玙" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}\ = "㜗侫ᨃ䒽捣尿Sꢽ⦅蒋늝唵狐\uf6c6쐽\ue956DZ奰횻嫮\ue007\uee5a" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\ComponentID = "ꦆ㎝䩞࢞隴梙а\ua48fꩼﱛ幒孏ꕛ겨\U0008aa64譁뛸뛼竣駿" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6EADE66-0000-0000-484E-7E8A45000000}\StubPath = "閇髃\uf654閚𦒕ꈵ蛱晨\u0de1䡗ӿ璌Ȉ᤹쫖" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}\ = "督ꬄ환鄦溇\ue769琸羱헳䘚ₐ\uf318賹\U000829bf禬쨪" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\StubPath = "ꔩ\u0a62蛡厨匙䏂赚콴ጋ輟杏䷏읞" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}\Locale = "\u1a7eꈓ쮛2갼辂\U00060b76럕糊\ue63e捃➾燎熿" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Version = "꣕辻풺뙚桷몣ꂦ㷢耰薦\uf231뮜䷸鱏\uea4e鰴틋ၵŋ⓫ꍵ毬鞘" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\ = "뽤슩ม쒽ꩫ⬿㠌걷똽坎镦\U0004d188쎿Α鵀⮪㰒" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089}\ = "订\U0010d7ba\ue58d與夁᧧寃늂̬錝۱贎Ⓠ\u20feஂ唱곞\uf6a2쯱楌\uedf8" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}\ComponentID = "ᶱ\ue78b㈒ⵔ\U000b2c11螵ꉪ㤂⇝ֲ炞ி鎠혭䙹苔鬲䀴夃" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25FFAAD0-F4A3-4164-95FF-4461E9F35D51}\ = "뉂詷\U000c5d77앭䜜ᡀ⨍演陳" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}\Version = "蒀퇭礦瑎႙筡巩苑設⮂㢬Ⲁ抳ℏ\uf839륂倽귰ꀖ薬" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6EADE66-0000-0000-484E-7E8A45000000}\Version = "쿱萩葘䥣圁䘲쨨㴰闼嗭鎒\ue057袉\ue336稢" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE4BC71D-A88B-4943-BB3D-AF9C0E7D4387}\ = "𖺀㟘\ue1ba롧㮸\ue2e9ᅲ\ue476賃繵ﴴ鑁𖾟謎ᥦ옞࣐\uf2a7䝌" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23A20C3C-2ADD-4A80-AFB4-C146F8847D79}\ComponentID = "ꎶ皞陗帇锵㏏羽\ue8eb㍡ᖑ햨겝窌ꥎཆ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}\IsInstalled = "﹒뇄Ṭ᳷礘殷춤હၶᢴ莪ॲ弚롔ᩁꇊ⊘鷠쨎㛙浴" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\IsInstalled = "觽焧쐖鉛맥娓瞨Ṽꃳ\ue003ൣ볟湝倈㊚᫂" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}\Version = "빎K௮\ue7a4\ue48fꦎᑳ鷌屄⟧䡊⮌믬隮ꔽ㊞\uf867貒⭾⋳뻾" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Version = "ꭔ鲼猯㼮竪მ坉쟚㪹ꋢ䥰諌\ue36b\U0004205c괚攔嶽썬퍝⋓欄\ue0c5鏀" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Version = "㕶黯\ue0e2䙖⾮硋ኯ듡ﱻƇ薭" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}\IsInstalled = "횦ꏼ뮦Ц䐁苹স駈樈頛\ue4f6\u244c炙祐铣◄ꖡ蛵랛㰪㏹⪒" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}\IsInstalled = "栙導쏠節쾁ؼᘶ軑⏗뼭떉ྐྵ噪䦛贊ȫⵒ䭥芫䳘䲥" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\Locale = "㞮㰅㻢䲾࠸잵ꔹ嘘\ued10酁侃" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}\ = "튜異繘伄⡒嶾再弔魒쏯\uf598恷ꒈ䝩ꓓ餶④\u0ec5\uecb3䫑뭽섴" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Locale = "髰쇼\U00066c00ᝤ▾ꆞ們ꖽ\ue76d㣪櫅䅷㞯즄饶箶" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23A20C3C-2ADD-4A80-AFB4-C146F8847D79}\Locale = "㯋处뚜\U0007086e孯룙쀮Ď虈\ue2b5ㅟ⟨\uab1f埂캙冀퍊ᯡ鋊џ焕\uf736甴" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3853CC31-559E-32A7-B749-89E04145A139}\ = "₀ⵖ峕ᕨ\uf103ꦭ쀞쾽協龳\ue077嶶\uf30d얶ꪫ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A604D2C-E968-429B-8327-62B5CE52126D}\Version = "Ἑÿ怸⯶\uf8b7\u008d\U00075121헕샑ꍗ䕮镟푏" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Version = "羞꠷\uf78f㜟羮闶몆ㄢᱠԚ吟燗ﱞ⸧殙˕樌띧溁塈ࢻꁸᄈ⥯" Thorium.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\WINDOWS\SysWOW64\drivers\hostsvc.exe Thorium.exe -
Manipulates Digital Signatures 1 TTPs 64 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "鼰\uf7ae왫핫鴅⹔斿㧵䭁텈垩ŭ瀖ࡰ餘꠹\uf2e7캃簍襵Ð" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{CF78C6DE-64A2-4799-B506-89ADFF5D16D6}\FuncName = "麙遦㲱𣼷⮡ᙺ䈿ᶱ\U000afaea⫨" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CertDllVerifyRevocation\DEFAULT\Dll = "仆癳밅\ue34f։ע벚햅ے\ue23f䟆꽅\ue49d䡸ᬝﻋ绑㝌ﱤ\uf770" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.2\FuncName = "㔆꛶嚖昵弄쁚뗑勏롆ᜉ쒛葹ᝯ聾䣪ઘೖ꩹ᄇ쨪优豥" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$Function = "\ue724㗠뿨Ѽ荌ﳉ鸷䆁㠪琏쫬ȹ廌ႊ죾纃Ⱃ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{D1D04F0C-9ABA-430D-B0E4-D7E96ACCE66C}\Dll = "흞햬ᅯ飑뿯ᅎῙഀ\ue804⇼\ue5fa愐⸂퍓䰿玄8\uef93狸坯뵺" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CertDllVerifyCTLUsage\DEFAULT\Dll = "郵숏ᮊߵ⫋ꁦᢩ\ue779鰍\U00060f2c훑⊥娦띧鿝盪엡뮲ᶧ䷎꺼" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{D41E4F1D-A407-11D1-8BC9-00C04FA30A41}\$DLL = "쳐縜睱둲ᚵ쬆末韐⼞⽚国跘棡핉\U000435ba몊㚧鐲壬ՙ㬂ঋ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetCaps\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\FuncName = "莓샔捴쑃\U000f85ee\uef22\uf34b⽼격" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.15\Dll = "閕\U000d23b5穸\ua82d焊劐䇘樋\ue5a0腭賫ꔙ萇ꪯ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.12.2.1\FuncName = "뀧힢ᚪ庮⬰\uea2d弩븨ⓕᥫ㌻쾰딞쫮뎸" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{D41E4F1F-A407-11D1-8BC9-00C04FA30A41}\$DLL = "㒖裚爖\ue78f\U000efa87쨋ꂟ﨣铌獱閎" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\Dll = "ဖ囈\u10c6ᄍ㧚▐⯟遑䮼巏洂䡜̅\uf5db㐠퉻ᘈ빃ཊ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{D1D04F0C-9ABA-430D-B0E4-D7E96ACCE66C}\FuncName = "髟玕叄죮퍄쩵ꋲ慭鯙퀘\U0005debe笥髫ą㫏푰㰟" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{000C10F1-0000-0000-C000-000000000046}\Dll = "⯗ᐚ핪粇隬掓퐰\uf737棯귱璾\U00016098늂獺\ue26b澩뱚" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObjectEx\1.2.840.113549.1.9.16.2.3\Dll = "勻ᒜᰖ쒢巏짻昀\ue2ff渿綨弫쁮\uf596갫\ue410킮\uf6f9ꊎᚪ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2000\FuncName = "\uec94ꃲ㮃쇯Ќา̼\ue4c2鱩\U000e43b2궵\ue3fa쪪\uf666썊㉿ቑ种葉" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2130\Dll = "鑔刉憶←逗敷꺴潐碂쀼멗촷綾\ue5f4횼淇ዜ县\uf796˘눯" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.4.2\Dll = "ﮨ⺧旽黕\uf6a1䨒錩🂁캣랤\ued8c藎\ue35a⌜\uef67錗\U0009e8bd⅗\ue256㭢\u181a" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$DLL = "퉿䕚몭N\U0003858b皛얠텠ꪻ\ueb7d⒋鎓쳜ᇫ뿰潅롗" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{06C9E010-38CE-11D4-A2A3-00104BD35090}\Dll = "\U0007cd37䰭뵽김혭搂嵐\ue15d\uf38e厈膟썭\ue276䕌羙뽎푿" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}\FuncName = "\uecd9\uf792뤩鮇根谳䶷壪\ufff2粍䈬뉺\U0005126e䋪ȇ\ue5daᣔ錳᱄鵳뉉䍠" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\FuncName = "筏Ḗ橤긾\ue9b4ij犣褚\uf7fc팴\ue314䩔ᄉ磫㷧㤶盌\u177a\ueefc鄵兘쇓㌰" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\Dll = "랙㫺ૻ牼ﰡ襁꧔娴峚狹ㆉ主" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.12\FuncName = "\ue1a8샄푆˜績흯冊\uf1b8\uf51b扽⾪ṫ릪〣좥먠锞떣ᣚクᚆ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObjectEx\1.2.840.113549.1.9.16.2.1\FuncName = "⋉➬ᱢ\U000160b6﵇㼟佸燊鐘翸ޥୠᘣ千ሲ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "鏠\ue6d2㐨ꉺ\U00037bbfⱻ缓\ue1b2⭂\uf4ff벀" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "鈝⅐䧤퉌\ue921蹛靚앺떒\uf7b8㦋⟤¨뚟﹉ଠ㴋뛼福" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSealedDigest\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\FuncName = "\uf798\ue451\uf765\uab18춫ꔅ\ue08b壠\U0009fad8嚅鎏囱⦓㰪" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\FuncName = "\U000f8fc2\ufff2㿬\U0005006eь\U0005c6ef⾀ꇢ冐윣䚫阙㐲ᖪ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{000C10F1-0000-0000-C000-000000000046}\FuncName = "羵㛛ᮛꬿꎳ\u0a55霆ͦ\ue236⋢繻膑\U000c13f3钫譙\u0d97惱藿끉뫼ᐔ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.27\FuncName = "럺쥾䕗簾륧挤媨Ѐꈃユ冪寙㓮沋\u0ef8\ue157䋣\uf1a9곾\ue83b云\uf166" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$DLL = "椀⌒䄥䖤ℙ偿⛉鳪ď\ued20\ue29d灒묜鰻葚✻\uedc6㑀Ⓦ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\$Function = "竿不䐐ꓕ⫦ବǮ奈\uf2cc→칄ꫂ扆ⵡ㊽醪췝꓁嘀馈♰" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetCaps\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\FuncName = "\uecfd褅컝ヘᙻᐇラ⤰\U0010da23㼁쉻\ue340笗댝容" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2221\Dll = "䙺\U000ab6bd疎⸰ᰙꛏ蓆\ue780ꊪ扃\U000ad9b0䘚\ue51bㄵᐳ霖㇢樱佫䠷" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2004\Dll = "慇価䐡㠴솭ᐫ뉆⏿fi暼걊" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\$Function = "᳒\uf516삂⢭面\ue5ee\u20ce\uf3b6ྲྀ躁瑬졖쒞萸眠縓᷇퇋醸쀌˓అ墊" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{6078065b-8f22-4b13-bd9b-5b762776f386}\$DLL = "溁檺蕛筼ୠꨝ봨෨䴐ꬬ\U000d682d诔⋧" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{D41E4F1F-A407-11D1-8BC9-00C04FA30A41}\$Function = "㊶㙘振\u0e71吁蓂l稐쭦\uf244㿶\uf524𥫿蚹뙗\uf659埐ꔢꬑڈ趵㛹" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakEcdsaThirdPartyFlags = "\ue70d⫳깘䭋\U0009009b\U0008513a裪睛\uf854\U000a13c2⸼箣\ue87b燾\ue805" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.25\Dll = "\U000ddd6c䍑渂닣窆&悦掾㹩䇧\u2d74ᛩ蓴뚽\uf448蛰꾔ᐭ滋䏴\uf1fd\ue74d" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\$DLL = "屮죗立괱追抉䝌\ue0a4䄐㡃禨脐⸻䊊" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "곮Ჿਂ\u20c1\U000fba1b\uee71爻\uf328ࡹ똞" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{D41E4F1D-A407-11D1-8BC9-00C04FA30A41}\$DLL = "\U0008b071զ✚㩾捌ᜐ\U0003fd52搀鈡\uef6a咶읤\uf19b᠍췘" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\$DLL = "푢쫌罧憖\uf326ﰓ윁枪\uf6dc雖鮶㊻ꩫ䩄삎㓲詥㩀ꝺ簚\U000a8a5e" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.1\$DLL = "麃顊\uf5c2歹䬊뇩㸅벺⻲뿞䫰\ue960쬑\uf3fbꏹ⇰ၼ텅ꘉὍ幆쉈ⶦ\ue6b0" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.2\DefaultId = "\uefd7뷕놕剧\u1aef뤷绶玠莭⠰㑕𦮑靃\uee40醭⫱竱宣⺴" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}\Dll = "籞𦝬ᩂ㊯段䤤\u1af9Ǻ\u1c38戲殠罷뮱ﱘប襡೨鮾ꞅ麇꿩\ue245" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1}\FuncName = "싩ႉ\ue8a9\uf003熢⥜ಙ\u0a37厁뤙၇㒱뼠莮㪠\uf0ffᶗ邬ԣ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{9F3053C5-439D-4BF7-8A77-04F0450A1D9F}\Dll = "엽嬐ׇ仼똏ㄜ振\ue2b0ꛑ䒉抮풂ᚣ醥밢" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2008\FuncName = "<樀\uee50\ue5ef㞟脂憂\u2458屪횜難\U0009854e㑮鞾␘ᄋַ燒쎌" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "囎꽢葕銺ꬉᾙ逪⮎\ue44a驼∲翪㶰銢起퍅崥풥" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{D1D04F0C-9ABA-430D-B0E4-D7E96ACCE66C}\Dll = "薥왖耜⩬㯓烰\U00084f5aŪ溓\uef5a콪䫷晓䧝\uf8f7퍚" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{0F5F58B3-AADE-4B9A-A434-95742D92ECEB}\FuncName = "弉ᜌꅕ罜샒괥\uefee咩쥽瞢啑\uf594" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2006\FuncName = "㞥波ꄭ祓插ᘋ蒠\u0c64븮㒅窞ु㇜⠍" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{6078065b-8f22-4b13-bd9b-5b762776f386}\$Function = "쳖桨䱿\U000ede1b蜮⾓坱ꏶ삂콽믘\uf603\U000aa3f3ꜭ䏕顰" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "ꃒ륍翮펒얮ꕃ솕悍䬪遡氄㰚瑡嵩\u0e7cՐꚻ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\FuncName = "큔ࢩ\uf7e9沈쭶졾剓꤬↞\uef7e孴嵋백뫯Ქഃ틡蠡⚅ꨶ⩔碦碱趯" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2007\Dll = "웓Ꭓ䴅륕꒼둀귎㬸\ua957䟧\uf7ed뒣ఏ앵퍿ᆳꠕ濩ꥄ菿" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObjectEx\1.2.840.113549.1.9.16.2.12\Dll = "쿸焁ꝴꍛ收൬ࣁ龮櫹㜓敩" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.1\DefaultId = "\uf473澱랳\uee1b浨ꙏ䛯깂ꉍ⥟" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSealedDigest\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\FuncName = "蘙勄찧忷齄뗼\uebf9༐뙨腵Ӕ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2006\Dll = "벢ꊜ\U000ad0d8\u10ce稱⒋馼ꇓ뽳ꦩⵍ䳮Ṇ" Thorium.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate = "刅\ufaf4殮琸\uf5e7䎏娶包큳\uf77e䧚씡ꔰ倂龵ࢄ㺪腥蓙" Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion = "᭄羈뚏배竨ᢳ㲡\uf04d\uf1c2哑꾟慟䥉嗶ⷆꄼ畧ゴ\ue082儬촹" Thorium.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\International\Geo\Nation = "櫹闆肪鷞ለ冏娋쾘ꁲ䍘㞪⬀ꅻ\U000afad9⍁㧳\u2ffd㭀啽稢祘\uec29" Thorium.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Modifies system executable filetype association 2 TTPs 19 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon\ = "ᩓ\U00068fe6曫Ⴚ俵墬ൽ쳷숫ꆪ돱" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command\ = "䘲놖菁\U000f3a40违퍯䎢韢代ኸ曌饢誗ᤢⶳ澎" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print\command\ = "聢⯸톐䝥鹢\U000e4b08ꭩ鵼ᰆᐤ⮫寲為⏳䋔뾇" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\HasLUAShield = "춛蓼匲ࣘ蓋덖᪈䭰潈嵣瀫\uf3c8谐㶚⒭푟혡퉨꙳" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\command\ = "\uebaf\uf2f7憼聍隷羥㪻ⵆܚ죔\ue1fd똗\ue935\uf621\U0008fec7\ue757쥤" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\ = "뀸\ue999肪李\ue573\u0a57㕪늡⠼╥౻\U000cefc4謄˔\uf0e9쥇㞧嶽ᱞ窄ᑡ늡빌" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\PropertySheetHandlers\ShimLayer Property Page\ = "啫숶닧낊甽堟ᝆ溡\uf717㯂꾠" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\{8895b1c6-b41f-4c1c-a562-0d564250836f}\ = "쏭ꄢ\uf475얬\U000877cd\u1680\uf0d2部鍍" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\EditFlags = "㡭િ绀젊\uf806㺪\uf8d2阸睃鷇힀" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\FriendlyTypeName = "㓳\uea1e衁휦ⷰ㷅ၒ䤄萼ᗸ엋醱橍" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\SuppressionPolicyEx = "\uec32㍌땥厕諸\uede9汜塶װ㧞鼍婏漢書" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\command\DelegateExecute = "Ⱖ덄\uf24d竔咶爐\uea7d\U000ae39e㨿䠇촞ꭆ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ = "눞\uf39dᆱ遛\u0f6e䥈Ϋ쎣厬贆ꃗ\uf4caࠆ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "漇쨔甧Č럀霠릓Ꜭ⧣\ue70c덀薀셝\ue90c\ue45d㓨㵵" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\Extended = "ꡖ璵抭\ue70e쾼뀉ᕶ膇芠녅\ue486閸\ueca0뫏j\U0007b6a4ർ温槀搡훟" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers\ = "ꍡ빫\uf30eᮙꑎ쐸\uf5a6脯䲙뫉翑ࣀ䘳뤑" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers\Compatibility\ = "떯努ぁ⃚ꗵ䋧蜰鱵癟햽ꆶ爷宺⢆賘Ṙ跗於榪" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\DropHandler\ = "礴ݹ\u0be3畇行ꟹ\ue3bb㙖顚楒J盲姩蛲" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "쑚鴱붡嗮ᙗ册쿆\u3100峪奼仸꽋굅\ue96d\U00055dcb" Thorium.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Defender Firewall = "C:\\WINDOWS\\system32\\oobe\\images\\" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeAutoLaunch_5EFC0ECB77A7585FE9DCDD0B2E946A2B = "\uf434멢赇┼\ue711⡟앳\ua956\uefc6ኢ熑ﵢꟂ䬢岫⡑镾釢䱂㹶꒫㙷櫴煉" Thorium.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\WINDOWS\SysWOW64\configsvc.exe Thorium.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\WINDOWS\SysWOW64\msmgr.exe Thorium.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Desktop\WallPaper = "Ằ﵀\ue69d祥蕙㙰ꁪ⢉깰㞒礴֓\ue396ꅰ㐺붫ﳳ\u0530煔촱鰼" Thorium.exe -
Drops file in Program Files directory 10 IoCs
description ioc Process File opened for modification C:\Program Files\Internet Explorer\svcagent.exe Thorium.exe File opened for modification C:\Program Files\Common Files\System\configtool.exe Thorium.exe File opened for modification C:\Program Files\Common Files\System\svchostcache.exe Thorium.exe File opened for modification C:\Program Files\Common Files\Network\netserv.exe Thorium.exe File opened for modification C:\Program Files\Common Files\System\svcbackup.exe Thorium.exe File opened for modification C:\Program Files\Internet Explorer\Connection Wizard\server.exe Thorium.exe File opened for modification C:\Program Files\Internet Explorer\images\thorium.ico.exe Thorium.exe File opened for modification C:\Program Files\Common Files\System\syswin.exe Thorium.exe File opened for modification C:\Program Files\Windows NT\logsvc.exe Thorium.exe File opened for modification C:\Program Files\Common Files\System\hostagent.exe Thorium.exe -
Drops file in Windows directory 7 IoCs
description ioc Process File opened for modification C:\WINDOWS\INF\infhost.exe Thorium.exe File opened for modification C:\WINDOWS\INF\driversvc.exe Thorium.exe File opened for modification C:\WINDOWS\Fonts\fontmgr.exe Thorium.exe File opened for modification C:\WINDOWS\bootcfg.dat Thorium.exe File opened for modification C:\WINDOWS\Fonts\fontdrvhost.exe Thorium.exe File opened for modification C:\WINDOWS\SystemApps\winoptimize.exe Thorium.exe File opened for modification C:\WINDOWS\SystemApps\taskfilter.exe Thorium.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh Thorium.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh Thorium.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh Thorium.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4556 1408 WerFault.exe 80 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Checks processor information in registry 2 TTPs 25 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor Thorium.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor Thorium.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier = "㰮֫怵⊠匴ꍟ郅櫏‸ጡܕ夂ﶫ" Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet = "穝ᾙ펔\ud7a6\uf866浅䣃鋬馲ꈚ\u0de4쏌잟㱊\uf122" Thorium.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier = "쑹쭁ꘘ㧒䨖啳ⶐR頄㢵䗪줠孕Ҧ\ua95b᥌\ue5e4縚" Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier = "嬥呛ভ\ue8c0䩡㟾᳥\ue6e4睫ȼ폅熅ᝊꄇ犒\u0ffa铎ᫀ倐믗鬎詠" Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString = "\u1cca뷔㢪顧攭뉢啁ㄘ鳌᮫뒁錮飬\uef69䚙\ueaba⎭괥Ἃ蟟\uf8cc" Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information = "뎧Ậ隙\uee32\uf6ac쟗爝뙅↋眘\u0eda\uf0f0ȴ顸륏\u20f7\u0086嬟佥" Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString = "ோ⦕缿달ꧬ୲啖ঊ\ue951秣ꇦ몺\ue982ꃫ㠅\ue780藯뤫\ueddf秡\ue33d" Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz = "\uf166囘샨䉛⪹䏻\u0ee6䢫ꞷの딓\uefc4죒ꬰ" Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision = "ꋠ\ue621\ue9b2鿸ἀꓢ聉삶朋鲉ᅥ\ue893䪝" Thorium.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor Thorium.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information = "젂᧱縵懚㽸쳬눢ﭑ럂붎⼣蒇㨒㮕紕潰趸嘫" Thorium.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data = "덓톓뛗列鉝汻\ue6dc\ue565ƚ᧑홬㏑譯涸໔\uf3a2鹶⋷\ufae5鋻⟚㷇" Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision = "㬊㟠窗ѐ굊캣㞽〈仱匔ꭑ押⢯좾渠" Thorium.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data = "ẛ\ue399瞗놷펧덩\ue4ae孔擭逛﨨\ue005喼㰭ㆸ繧殺勼骿" Thorium.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier = "鞃㢶戻文ᓂ⇖甁믍᱅弬" Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet = "轳\uf04bﱜ\u1c4c\u0c54ᜒ鳳\u0ef1娂挷ꬃ褧䚥鬶꣧ꣿ" Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz = "珞ꌛ⺅ꭧܫ\ua7ceЯꤨꄢ䕔욻᯦ឹ㰋\U0004501a㶺첦兞\ue506ꚳ" Thorium.exe -
Enumerates system info in registry 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\Component Information = "呵⿰酇⣼缋₤탪闊\uee51擏" Thorium.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 Thorium.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses Thorium.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus Thorium.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 Thorium.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor Thorium.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1\Component Information = "\uf82b䀄\ufb07⃯⯘줆윊徴\uf51e蕾瑆碯즾歫籴㲟\U001059e0ꈠ" Thorium.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information = "ե㝰䔨\ue9cd\uf4f8⟄餡舁횽\ue5f9" Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data = "е⟴섐趋쾦陹⾾\uf6bd쿲ˊ郦\U000d73afꀥ" Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data = "脓鱺틆ᮖᕍ哺ꌳ⎺鉳콋\uefddᶴ試矪洳셷ᵇ䅟췌氾" Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier = "⸓㩕钹⑾茋\uf071\U000ad90b駐\u244e\uf455⧏㦥쩫㭞౹힗␎꼸ቊ䀇轞⥀" Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0\Configuration Data = "️奲𘛼톥ꛏ⠪쭠⥊﹡" Thorium.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 Thorium.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController Thorium.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController Thorium.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 Thorium.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses Thorium.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information = "߰\U000a7701䯍\ue36a왆\uf543Ⓜᥥ돕乛憆䋙\u2002ҁ젨⏫\ue784紜♬鍺秘" Thorium.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus Thorium.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\ = "戒綷赊ʲﲤ\uedbd\U00076b5d\ue0c9⁶蟐\ue75f侱\uf703닳屸卻죆╜ޖ谨" Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0\Identifier = "Ἠ䴰\U000f6acf븇\uf328\uf67f춁篟\ueaef㘚\U0001d273픊瑹鴙鳋" Thorium.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter Thorium.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral Thorium.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 Thorium.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 Thorium.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 Thorium.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 Thorium.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController Thorium.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral Thorium.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 Thorium.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus Thorium.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BootArchitecture = "豌衴鶬芯늰\uf3bb\ue899ꋝ棶淤顋뺣᧣䜟홇䇹Ჿᗽଅ䇔䠾儜漤" Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Capabilities = "㜿麼풉纊術㣌럿잗툫\uf139穳\U000978fc씛䭑\ue3e7⒘᧷軦༫蕊责蹢" Thorium.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data = "ퟏو\uea4d㿊৮⨐ᗛ亙늇斪" Thorium.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 Thorium.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier = "퓿➫\ue91d\uef67볨퍈⌃蒅㭜蜙㽄W현厱樔士蜀" Thorium.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 Thorium.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter Thorium.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Configuration Data = "萣⛔笓巺竿㟖圔歔\uf3b3ٌ㋛䷋" Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data = "祰㇚層\uf027꠩䅪\uf0e1䊻\uf11d㾙쪥⚷쓶컐\uf541" Thorium.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier = "\u218d戍덌䁵\ue069ᚌ끑羸駉戆慢㬹\u058cဍ\ue623鯫" Thorium.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 Thorium.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 Thorium.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1\Identifier = "䯇覦偧빃紖ꆩ悾온\ue7d2㪍絹䪈" Thorium.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\Configuration Data = "뷦ꆺ貥ᡉ㏘匘맅\uf2bb\ue151刀敐䘿놢埫鞼ꂦ됰㱕뙡벩⁈" Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "图䃪\U0007a717俕ᱛ㔦떀쑃멋摈ꙣ鳘깨䆖" Thorium.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information = "뮛\ue4a2槨ᆎ魸㢆⩤夻⏿쬝ꃦ堶춒ࢅ긿虌秗\U000e8be8븛ස" Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information = "饧䓩\uecb5ⴆ闁ᵏ\U000a0efc욷煱࠹ﴇ℃檝芮⎚\ua95b\ue80d伻鱀斯圕" Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Configuration Data = "뼚\U0005370a䴱偉曫쟐믱緕⌬\uf54b\uf31a腐㬠㛗륨뜹殢⊼" Thorium.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 Thorium.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 Thorium.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral Thorium.exe -
Modifies Control Panel 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Desktop\TranscodedImageCache = "㨙㔺\ue770磎鸅ꂋմᕘ겮巢存埏" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Mouse\DoubleClickWidth = "흶ᓐ쭋ゥ\ueb3eꝡ吚䮫輼♓整ۣܲ奞轹ぱ\uf2fc檓ᇈ盋" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\PowerCfg\PowerPolicies\0\Description = "⎚\uaaf9솮熲\uf6a4\ueb03㵥\u09e5誩댷鱽̑\ue9a2\ue62a욮수讞惧\ue735䯺퉅ᾟ" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\PowerCfg\PowerPolicies\5\Description = "讔\ue901ᝯ變흆\u1af2헜籃傯覯\ue2f2룪ᶊ䅺\U000cdf37\uf545\ue2b5䲛졄饤꙽" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\PowerCfg\PowerPolicies\5\Policies = "\U000e6b72确\u0fed瓧谡⟋錄១ꈄ\ue97e\U0006f42e\u0dd7㜆ﰓ岕ꆺ즒삦" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Accessibility\Keyboard Response\DelayBeforeAcceptance = "\uf79f\ue734몂ⶾ\uf501뮮\U00096890‐푶盁喺ꘗ⟨䛹\u18fb鸹" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Accessibility\TimeOut\TimeToWait = "㭹ᣨꓝヌ쓹뤷䥚墕眗\U000d7634鎆僭慃誵쌰뙒去\ue0a0" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Desktop\LastUpdated = "Б\uf734輰昧훾鑉켠哵\uf865ᛥ" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Desktop\Colors\InactiveBorder = "\ue66c\U00046b32姪耸䥭먬䏍鏜ꦛ둔꩜ᗟ㥚ί囱\u2431칆\uf2d9䭙⦇" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\International\s1159 = "\u197f䀔ᷙ唩\U000e6f61ķސ1슕輱᩼锵" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Accessibility\SlateLaunch\ATapp = "告Ԏ綾魍诌嚖\uf3b7釿眂\ue5a2冧堠ㄦ\ue7d0ՋЗ" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Accessibility\Keyboard Response\BounceTime = "ꒀ꧌\ue9ed儔趫\uecbeൔ췋\ue4ac欣\uf81a瑂\ue735伐缴\U0006f2d2嵭Ӟ卪䭽" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Accessibility\Keyboard Response\Last Valid Delay = "奐砋⊟寲嚫坋\uef5f釵耜ਵኛ濆ᷟ븺Ȫ\U000c3191鞀㽇\uf4d7著⬟응\ued5a" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Appearance\Schemes\@themeui.dll,-852 = "鮡鞡쬧癎lꃻ㺂빎材\ue2baⴼ\uf6ea饣방縆펻瀬" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Appearance\Schemes\@themeui.dll,-854 = "뾞쯔죆௴㚅㪚䨒\ue709곬혽恠⼘㷰뉼\ueda8㧂䗻" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Desktop\MenuShowDelay = "虪靦렉ᜈ瘱㛬⤓✅퉜䠕" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Desktop\Colors\Menu = "멻ﻖ䞙▚\uefe9촳捳铑ꇢ兜㙹㜈㛄ꦢ诟筻萝" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Input Method\Hot Keys\00000071\Target IME = "櫃\U0010baae\ufaef튿ᤪ히鿄㈤㣁棇릫澫䊞\uecea⟐" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\SettingsExtensionAppSnapshot = "蠯\uf7e1勤뱤\ueefa鉔ꚶ㶰ɖ\ue2c6蘠挻༈瘩" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Desktop\WindowMetrics\AppliedDPI = "ꮌꗓ\ue92aꉻ늟ෟ辬\ue80a튞憈ᆱ" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\International\sMonThousandSep = "볼ꇓ೫脌≤晃荣⾗펿胳\ueaf9䤜cﴚ" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Desktop\Colors\InactiveTitle = "蔓学ꑋ绎왶\uebe2\U000ec440奔捁Ꮸ蛣缐봛ᷡᘑ禗ᛤ킷藦" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\International\sCurrency = "\u2062ᅧ垣⩝橔끿\ue750姭⥖\ue799㘱痔\uf0dd" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Sound\ExtendedSounds = "ૅ嗓፠梂㋊ᘽ蠒땞욡勧\ueff5擲\ueb03\U00080ddb薉\uec1c佖륏\ue637" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Colors\ActiveTitle = "㜤泉㕱⎥愔\uece0δ謟䶭ꤢ፪㱊\u0ef6ᦙ롟쇞㷇\uf3ec" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Cursors\Help = "鿎蘽䯑벾穣\ue37f뚇块\uf89f끮ᄚ¡袨梟" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Desktop\DragWidth = "鄰뀕ﭼۊ蜴\ue82c断匸릥\U000418bd쳋" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Desktop\Colors\TitleText = "諆鐬닱㸖Ƅ쫞璕䱺௱뿚\ue5f7췑谯" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\International\iNegCurr = "勖\u0095蠓\uf64bࡑ\uef5e㗒ꦪ瓣럮矩덣֖렞\uf3ba\ue2bf㴦" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\International\User Profile System Backup\ShowCasing = "䅩\uf69e\uf3ecY彬凥둨椃ࢰ谚悬䮅ᖱ搖뫇ﭒ戕" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Mouse\MouseThreshold2 = "핾뻹悽\uf8a7Ͼ脗⥶䴚\ue300嬛ध\uec29\ueeef깋昢屠" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Colors\ButtonAlternateFace = "뿦\uffd8\uaa3e촚쒌馬ᦶ෯\uab19ㇰ硌懻藆뜳\uf746" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Colors\GradientActiveTitle = "⡽\U000f2bc3琹뾷襪\uf734ↆ擀방\U000d2140삡䴃뙁쾇즆\uf357\ua4cc" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Desktop\DockMoving = "皛ꃪ諭\ue936무มɕ뉼씲䳊庰ꦓ\ueb7e쏕\U0007d714떿\U000f3386ﭹ禩" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Desktop\DragFromMaximize = "\uef12㷶\U0009847cꊮ鿿ᩧ㏾惁﹄ᎂ폙変笖㞶肳ᒦ璍" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Desktop\FocusBorderWidth = "斏쒮뎲\ue513艮宁\ued85䄞뵀탩⪀孃" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Desktop\MaxMonitorDimension = "⽨㮣퉨Ⲭ鋐⭌鮮뵬㋎ڳ" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Input Method\Hot Keys\00000202\Target IME = "ꢜ\ue456␒㢂ᠱᇃ哨\ue128駆묍拱ﵷ밵ꈋม鑵\ue5d5渢궹푉别漸" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Mouse\SwapMouseButtons = "텟♎똄償뵥ᯙლ˔\ueb41ﺹᜊꧮꖤﴏ鶺鵀⚱" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Desktop\Colors\ActiveTitle = "忼࢘뫙䵊틥湒ᲁ廂姉౿\U000675c8" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\PowerCfg\PowerPolicies\1\Policies = "ባ禀內\uf277菕鬭왢솧鉗蹻\ue7f5⚓\ueec1솋淿㎳ᔺﻐ愅\U00102724圉" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\PowerCfg\PowerPolicies\3\Policies = "℔ᜥܵ暸靸咻냂൛\ue439⋱ᨚ쇪" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Accessibility\MouseKeys\TimeToMaximumSpeed = "崪弙\ue042쁵㠘놖퉫\U000ae148鶼ౡ쨦ᰞᩘ㕭⑭磁褽楛" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Desktop\WindowMetrics\CaptionFont = "\uf3c6᯽獾軤㟝Ⴄꟻ\ue604⡥鞧\ueee1뎺\uf38c㴛\ueb7b㭂䏘米喁\ue6cf쾩" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Input Method\Hot Keys\00000011\Virtual Key = "嗫鮸낃ﴯ鹧\uf190厑綪\uf01b荋曁飑՝\u0b97힖䆰ⶵ뀜笒" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Input Method\Hot Keys\00000203\Key Modifiers = "䈪へ㻱뒷ຆꐝ粥웒憩㩺" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Cursors\IBeam = "ꅓ濯쇠䝜䊸훩糉냡ო탽ㇿ획ꣶ䉩" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Desktop\WheelScrollChars = "桷ꉟ恷ꠄ黦\uf8a7뛹怦슘犰䊻沍럌膘ả" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\International\sTimeFormat = "ᓩ궱ᮙ莡﹦炾㶋\U00074e80\uf508㔴ᕸ橔ጙ풢죦\ued6e몜쨔\U00012f55䛍" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\International\User Profile\ShowTextPrediction = "≂긘굕ꐄ\uf221䔑鑓祇鋾熮읇" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Accessibility\HighContrast\Previous High Contrast Scheme MUI Value = "芎\U00100361쒞〒ꔏ钮휑텞䟐띕㸡" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Accessibility\Keyboard Response\Last Valid Wait = "㗋餕碝곪畩鼊鮋렢쥞ソ癊" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Cursors\ = "梌\U00095ddc\uf830\uf397檩\uf5d2囹⻭嶨嵞퐧곹\uf31b\U000d7576璂왯\ue00b湺㣇\uef8d┓" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Desktop\ClickLockTime = "\ue2ff冢ֶ뫠\ue19dꟖ龿⏱\uf80cወ䝷车℉\ua4ca綾" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Desktop\WindowMetrics\IconFont = "帊⻯⎸솦䎨ႊ㌡ګ鬝\ue4e9渒蜒\uf293蔢\ueace셟" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\International\sYearMonth = "拢㭊\U0010b3bb깃\U000897bf怦꽿퍟䎧桧\u2e6e䇏薭솟ꄬἙ脇" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\International\iMeasure = "ꇻ睺칝フ圽燆ꤸ海㰏樏켾팩由ﲓ" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Colors\GradientInactiveTitle = "敜礄ય⑀챬꒦뭵ㄺ夒맊⍖传剋嘪둰㬧\ue942촹ὴ\uf730書邨" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages = "㙵櫒䀏ꆤᡢ\ueaf2計쌞괆\U0007e74c퍂᳧䜴ⰷꣷ" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Input Method\Hot Keys\00000201\Key Modifiers = "\ue2ba痽ꑵ鈼뽲惄犈㊔㿜촄" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Cursors\Hand = "ꅲ黖環ら䂇P\uea83ᓏ\U000794b0쳁탃달" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Cursors\SizeNESW = "\uf21f鴡绻瀍ꎙ塼뤎\U000645f3끇尚룦髾曍贈ퟮԃ誁蕙ṁ귘։伐" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Input Method\Hot Keys\00000010\Virtual Key = "鬏賓ዼ녺适查邗锳೮ᑡϝ桔뻗\ua4c8痈蚘냕泹䘔꽕\U000e8f17黈" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\International\sShortDate = "嶇ႝ捦瘤\ua7d4ⷨᆨ쯇磪\ue019♛倬⡇얦䪇" Thorium.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "\U000955f4뿗㯞莱禬湪磃贮野" Thorium.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{01E198E3-24FF-4602-9944-65E7B323296D}\FWLink = "ἥ庯끑\ua4cf䣹ꭰ엢뫞푌\U0001a4be\ue19a䝑쫭剦괠봵\uea87" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{053017A8-53F7-4EA3-AA38-A4CCAAF1F9E7}\BlockType = "㒶癒➰庹ၑ\ue10a웸鼈쨟哤\uf58bꚨ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8136114F-FAF9-11D3-B0D3-00C04F612FF1}\Compatibility Flags = "狆ꀦ႓㙮⺋撔\uf4ce✙㊉腃" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\FRIENDLY_ERRORS\PlugUIText = "庈⣟끸ደ该寑轙\uedc0㋷皜ꔽۍ謿廖\ue36eꑤ埙" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.0\HKeyRoot = "\U00019671ឬ陦榇疨젂ꄈ㽗얞皦期脞➢ﶔ솳傍踰" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{724D43A0-0D85-11D4-9908-00400523E39A}\Version = "㴫꩜ϰ鯖ꭇﹸ쓢糪\ue1bb绗겴播𡒽힣廄\U000d5f7f䩦氕ⓓ蒜" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{D2CE3E00-F94A-4740-988E-03DC2F38C34F}\Version = "ড়\uee72啊Ԭ黾တ醋ꡤ섉ꕘ禗飝겝" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{FFFFFFFF-FF12-44C5-91EC-068E3AA1B2D7}\CompatibilityFlags = "뮮Ⅱ옸뗕\u1ae6饋뼁ᙁ蝏\ud7c8\u0edb쯻\ue064ŧ〢" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\ButtonText = "퇢\u20c9䐭躚醈裆悹⣔㤔⛠" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\ErrorThresholds\505 = "䫓藒꼮鞛\ue3c2勇\uf262\ue6f4곶딊荌㕿Ǚ싄뜪펹臃煿㞚" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{4F496A52-13F7-483D-B5E2-0FC4AA567749}\Compatibility Flags = "侀\ue499뼹摘ϴ圁滛哟ꇁ鷐\uef7b竁\uf632牴" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\IDN\Type = "檎\ufde3盙ꦷꧬ걕䝜\uf16b筌뉌ⶸ舔" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{28AB0005-E845-4FFA-AA9B-F4665236141C}\Compatibility Flags = "폔갻誟繀\uf864\ue45c冴穕\ue8ab\ue439" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\NSCSINGLEEXPAND\HelpID = "轂챩츟揼䦞༤㞍欦聘\uea87\ue564\ue364龰\ue2c5ퟮ哆䶭䜹憗䩈뺶" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\IDN_INFOBAR\RegPoliciesPath = "\ue0f2\U000f3f72穣㴞ঈƕع垛駚哆㖝\uefc4Ʒퟶ犷Ꝙ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7AC06A6F-4C88-4707-8DEC-61017CB50E1E}\Policy = "뻸颣㠼昿휣ꕩ⦾絣ɹ鸼㹒棜ἠ㮴\U000f4a8cﮞ瘇இ敂蟼嵅䗜" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AEC-AECE-4E27-9BCB-5358B13F9FF9}\Policy = "䩎軭ያ뇤₩⊷ఝ훈䡧䨢▄筋봖%" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MSHTML_AUTOLOAD_IEFRAME\outlook.exe = "\uf8c2큺䜆㸛陬\uf4bc殤鬳阓爩\uf1bcḜ써ᩘꬅ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\Restriction Policies\Hashes\5F3EF8894394826345EB838C8C72F3A40B521893\Policy = "ᑩ휡뻻茓⤝⟇\uf80c丵Ʉ눐䅥袜쎪跓਼\U000f1bd9㮢驣၁읅" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C46C1BC6-3C52-11D0-9200-848C1D000000}\Compatibility Flags = "טּ☦쿕\U000b10ea飭倌孫ꔪ댒踔尧\u2450쏜력Ꝣ液ຝ킸㱓瘖婧\uf232" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\BLOCKMIXEDIMAGES\ValueName = "륔睝ࣚ蔥䜠䢗\ue362\uee41瘖偖猥訟觬ꃴ芃⤚蝅曏娞变\u0c75" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{14CEEAFF-96DD-4101-AE37-D5ECDC23C3F6}\BlockType = "覴鳆勩㢋扝敽蹊輋ﴠ鋙䭮賄吸䵽珢蟕笈" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Enable_Disk_Cache = "Ꭰ\uf157뾸綴뼐씞\U000129ab쇋全으⯔睒奦䧻╪䒾蚊옶ଘ\ue467" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CC7DA087-B7F4-4829-B038-DA01DFB5D879}\Compatibility Flags = "苤“稸骘節䇛췋渫\uece6믦쨠ⴚ褩煐䦀洱軻뱪뚅옺\ue437パᘕ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\ACTIVITIES\RegPoliciesPath = "䎩룸\u0ff8茠쮚龅\uf8dc\U000d0382䒌⁘鼯㍠" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\CERTREV\HKeyRoot = "侐療⮂ﴍṕ硩嬨믥뻎న觧뤂쮻뉖\u0cf4饠" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{124D001A-BDCB-472F-AA59-BBE7E4BC3204}\CompatibilityFlags = "᠍㪐˰\uebcc\uf035㓺賢蚐次왕ׅ䎚‣鹣\ueeb8훎㋃㟍ᖭ粞⬺꪿鏕" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{76E2369A-75BA-41F9-8B9E-16059E5CF9A6}\Policy = "\uedef펧谑ᇶ艪\U000b5d27\uf847\uf0ceᰫO嫤\U0003a2d1崟\uef81縑⒫ᥭ횹逍" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DD993BDC-06E0-4131-B889-DD3B9AEBE253}\AppPath = "萭쾾㮬淏\ua8caヱ㞁\uf3c6숆夰쨪﵃♉햙\U001098d4栈흥\uf207㠰帐ᦚũ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{15D6504A-5494-499C-886C-973C9E53B9F1}\Compatibility Flags = "䟍꒟灗\U0008ddc2蜜灶橿藨믣㛌柁黳\ue423⚈" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{9E797ED0-5253-4243-A9B7-BD06C58F8EF3}\Compatibility Flags = "룂镶鴃ꤡ隞谅൴垭\U0005a206ቘ蓭琞뻹\U0007ffde" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{DC99E960-6594-45E3-9D5D-141D825B8096}\FWLink = "\U0005fbf8\u0c65ꙩ纖佋㳨\ue504鐤엦䪸걔㴲迶鯖䜩既\U000d0afdᨆ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL\* = "幄\ue42b鸾퍂迷ƒ\ue20c歛卑ꅉ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\UnattendBackup\ActiveSetup\UserAgent\UserAgent = "ӌ\ua7dc䈃绗콆꿯酔협嶬\ue90eꌊ❏뷑ח⇛鴓" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{69AD90EF-1C20-11d1-8801-00C04FC29D46}\Compatibility Flags = "\ue5d1攔蹦䧩ᬀﱳ韫秨䫔⧟괲錴넠涄\ueb2a\uf4f3ꖅཤ瓇鸁" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{f5078f21-c551-11d3-89b9-0000f81fe221}\Compatibility Flags = "铷앉痚蹅댓ࢤҬ蚎绨洵ₗ⒱健犋䩛ଯ舉缽鶊☽ু" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\ACCELERATED_GRAPHICS\PlugUIText = "퀇洔\uf7b7崎쏓\uee74\ue549\ued74\u0d11葂잂췡" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\ACCESSIBILITY\MOVSYSCARET\UncheckedValue = "ḹ按즮늭\U000cc135磌\uf59b꙽䙉\uef0b☭蓟瘴삳鼏" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\FLIP_AHEAD\RegPoliciesPath = "\U0007ae2f㸒\uec57ᄉ\u12b7笡꜅킵\U000d5e04䕥䓾亩\uf4ac৶ⲫ\ue745ꅵ㳴" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\MULTIMEDIA\SOUNDS\CheckedValue = "뜴컥\u2efe㍋洩떡亘\ue798ⶦ뿄뀃㝍郰荒可즕弼\uf331" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{0C1E01A6-7923-46D8-8E3D-0F62B4A0250B}\DllName = "\uf6db黍ር謺馸품n懾ꨩᆅ\uf685⧩聓뭊ꋜ鷉⦑\uf6d7ᗣ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{8E929F51-5914-11D6-971F-0050FC3F9161}\BlockType = "ᮄ瀳⎃ᔟ̐䐡\uec7bᴾ\ue331胦寀탹" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AB049B11-607B-46C8-BBF7-F4D6AF301046}\Compatibility Flags = "า嶁ꦮ瞫ŵ▝\uf1f1ᅤơ簦鹀\ue8cd沢뀐ꎻﮘ熏˕寋뇴ꗺீ䤶託" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C46C1BE4-3C52-11D0-9200-848C1D000000}\Compatibility Flags = "泸ᴴኝ䥚\uec44\U00038e62ퟳ눅፳ꔰ쎾\ue1f5" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\ACCESSIBILITY\CARETBROWSING\RegPath = "淮ዶ틴\U00038718䫍䦬ꪡ僑큵ԟ䆙夦ಖ괈⸇\u0de1\uee87⺗廮\u0a62" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856}\CompatibilityFlags = "\uf36bկ쀦碁竽䌏駌ⅆ큙ᑇ㒅畲튜\U000c6784⣷摪虴᙭៵ﳍ꽋" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{4becf16c-74f0-429b-8d3e-4fba507ac661}\AppPath = "㱒㯻钣ㄎ靥焼Ḩ䯕⸬ዓ뫦ֈᨊ鑔耸\ua7e2꽦駶⑲\U000a8818臶ᱸ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN\iexplore.exe = "鹻퍖축羓锛컪蕷뉺侟髿" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{e0f158e1-cb04-11d0-bd4e-00a0c911ce86}\Compatibility Flags = "\ued81\uef49혖룖柋揈谷䔣\ue3bdᆗ\uef1a獖⡡늯鎄鷙郿\u0e3b䋧\uef2fמּ퀟\ue016" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{92085AD4-F48A-450D-BD93-B28CC7DF67CE}\Version = "욝쵄揶䔬试ⶣ\u1c8b\ued22䬞ꖺ\uee25ŢỨ퐊ꂶ韌琉\uebec" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\UnattendBackup\CompatibilityViewDomains\CompatibilityViewDomains = "\u0a0c㉌涚꽅ﳘ癬↑荦笀൴Ⱋԅ꜌ᴮ鉋쿖\ue348" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{ECDB03D2-6E99-11d2-875F-00A0C93C09B3}\Compatibility Flags = "簹뚦⸋炼\u2ef5塄ᠵἵਾ\ue5f1\uf763䑙菇쁩\U000de4e8ﮉ\U0006c7a1ˈ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SYNC_SETTINGS\RegPath = "ﻥ㢼葹姅宎樽▛ീ祛\U000756cc鼣倿똿먁㓛" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{26EC0B63-AA90-458A-8DF4-5659F2C8A18A}\Compatibility Flags = "ⵉ\uf692뺌薃籀綢窱甫瀖\uf7a0ᗬ뎾놂숫\uf675硲뱒皓\U000f5f7b店ᆊ്" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{4CFB5280-800B-4367-848F-5A13EBF27F1D}\Compatibility Flags = "湯쥦ⴽ꒰\ue52fꫮ☡톞⋖쭚蠐\U000cb3a9괾潎+ꓶḁ㋘嗓募䑠\U000e8177" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CDAF9CEC-F3EC-4B22-ABA3-9726713560F8}\Compatibility Flags = "퇒鰿ꞅ䨨皦㟄\uabefၟ\u20f1闬\U0007db38\u0f70똏榝煸ወ鼲昭㴀ꇗ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\ACCESSIBILITY\PLAYSOUNDS\DefaultValue = "褮늡鬇\ue41c뉔ﮃ䐪젵쾻憹랭䬪\U00012bb8她" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\IDN_SHOWPUNY\UncheckedValue = "䢏ፄ\ue20b둘\ue6af\uebac\u0dfcᖦ뚅ꑚ婖" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8469A9DE-A3BF-4218-A1D2-F19AA9EA1617}\Compatibility Flags = "⫗ᙶʙ\uf6b2\U0004f322১蟳됦즀载\ue139ㅅ垛阁칯뻚起喒ݶ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D4C0DB38-B682-42A8-AF62-DB9247543354}\Compatibility Flags = "혏삀ⶌ簷庭ᙚ窤睕െ旍㭲\U0002f630" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\CTRLTABMRU\UncheckedValue = "骽啘ᆦ䅰\uf062㍭뽄磼䊔ჾ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\CHECK_SIG\DefaultValue = "殿眡࣡錙靣瞼녑甂⺋밈ꅒ꧙ﺋ堊踬ᱞ쉌힁⢒⿃ꉲ\ue64f姷䂍" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\MULTIMEDIA\PICTS\PlugUIText = "崻뺵尘\ueaf3\U0001a44d위崯괐ڿ罼Ṏ蝑" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Capabilities\Roaming\StartPage\RegistryRoot = "瑤\uf785도鹗쌎쀕界쿸쓇嗳딎櫞虤䄨∾辌ⰶ캲ꉼ沮漸₢븨\uf201" Thorium.exe -
Modifies Internet Explorer start page 1 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "⾾ꝿ킐揩\ua7e4\uf07d\ue24f隬\ueb8f㤬᭜Q훚椕ᚯ\U00059f97晭℟谾\uf28f\ue31f\ue6f7" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "믓ה\ued88䥴겆겄叿㸣닁偰囄阹琎" Thorium.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%systemroot%\System32\drivers\ws2ifsl.sys,-1000 = "⼴넀壛紺\ue9d9\uec1b賸뜊猊愧纨\ue936" Thorium.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\drivers\EhStorClass.sys,-100 = "\ue5ea𫿋\uf4de㙫曑\uef69북팳묤抲豚" Thorium.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%Systemroot%\system32\rasmans.dll,-200 = "攗\uf711⮓䨒쐡뀯읟⠾䦟햪䷁็핟拫倲ꍂ쎢䷰" Thorium.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.SystemToast.DevicesFlow\appType = "ଗ뾞됦팕㦁䌚\U00108688ᷤ庩࿊ຠ䃼" Thorium.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Microsoft.Windows.InputSwitchToastHandler\wnsId = "\ue219哳흲\ue9a1ᗢ約㮂႔㨥𐲓" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\ime\IMTC70\Quick.AssociatedWord = "翥谝㟒氖셏샶ౚ뷡ঃἺꜱ徂﹩꯰¥\ue96d씓ग熹\u009a" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\ime\IMTC70\FuzzyScheme\Name = "誂喳髏㠷抿⋊몡럓沬\U000d9fc6Æ" Thorium.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.SystemToast.NfpAppAcquire\appType = "杵趵\ue6fe㮪䩗蟆\U000690c3韏훚蜾Sᱞㅑ萯≲竸Ⴣ䖠벂編塋ᨥ" Thorium.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SelfHealCount = "\uebd4ῴ転\uebfd桤鎭巡僺뢨ﳽ菆" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Internet Explorer\Main\Display Inline Images = "튏跟ᷞ㔬굃\uf407⇉⸢㗔橓뷤⛃䦜ᱵ맱ⴅ↘忀┊痚\uf114꽭" Thorium.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-19\Console\%SystemRoot%_SysWOW64_WindowsPowerShell_v1.0_powershell.exe\FontFamily = "㡩괣㳺潙\ua6ff略שּׂ\uf2c9䧸\ue8de쎹ꕰﶩϰ塸\ue152ﷀ敲" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Lock Screen\LockAppAumId = "Эᡉ㙉\U00105f91ꗎ硒ΌꁁҐ\ue183꒔筁➺㉅暀𰑇" Thorium.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\lpasvc.dll,-1000 = "凿ᆩ㲞⽞‸‗ଂ㬅ﮟ⤺鈓⎱藹噻뢜쨋" Thorium.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-19\AppEvents\EventLabels\MoveMenuItem\ = "熉몵╊ҷ糰컋\uec02ৌ䳝삅\ue544" Thorium.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%systemroot%\system32\DiagSvc.dll,-100 = "ꊯ乖폴퀋\ue740\U0004dc67\uf355ꕊ矔煄沧ಟ涡跑桫襫" Thorium.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Cursors\Help = "\uf825㝇弯詂ꊖ訤칧怎曆\U0004fafeᬔ濖\ue8a3" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Renderers\SubscribedContent-338387\Version = "퇅븉쪗\uef92瘠\uec46㤌㬝蜂⏼㍰\ue819에純\uf545爽糱锝盶\ue1dd욮㠊ꬠ" Thorium.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\Microsoft.Graphics.Display.DisplayEnhancementService.dll,-1000 = "암⫚̐閴쎙᫂ꍮ\ue8df碔斐\ue4c2" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-19\Control Panel\Desktop\Colors\TitleText = "ᐌ䱜쇽걮叇퀹褖뵁\U00035059Ꝛ砬頹헫倬覣早獛街喙Ꮳ縷≇仠" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-20\Control Panel\Colors\WindowFrame = "簛͟緯㪨쐧ᰴ怉檘葤▸㊉뼎⊬狣䤧" Thorium.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.SystemToast.AudioTroubleshooter\Setting = "島㸕⒠ꍄ\ue533忝䔩\u0af6倂⣫澏뗥蝃씥櫓꘨\uea3b" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-19\Control Panel\Accessibility\Keyboard Response\Last Valid Repeat = "ゆ\uf6b8ᇃ偸⻲ﳐ濋뇯獝㞐ẉ潚㣊鸙ጠᾃ谲邱◟譐\ueee4쇸뵪" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-20\Control Panel\Colors\Window = "씵啷ڨ륢룒鋑\U000ae5bb\U0001647f\ue48d救㪄ັ\ue0e6䢨ጲ鹁" Thorium.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%windir%\system32\bisrv.dll,-100 = "癙툁孧蕡Ո筪廚ꍪ皗ଗ\U000ff796⊣ҥ塅\U0001a100ⶬ맫䯕ꜜ\U0001c793㗋" Thorium.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%systemroot%\system32\tokenbroker.dll,-100 = "⒅䳁휰ꘚ꽈╴爵蘨湺꿻滮勉鳀寥矮칖ൻ柏\uf860陛笭ᜟ⼛" Thorium.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "\u20ff稺鎍䌦䬯⢡\ua63c呧寳案ఋ䘈⥰\U0006a50c" Thorium.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.SystemToast.EnterpriseDataProtection\Setting = "蔢쐽儙쾊篟椆ฌ\uf184ᔶ䭡ﵹ" Thorium.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\DragFullWindows = "㰥ꥵ㴬\u2dbf妧綱到㣬鑖迬皳쉟☯⑽ߩ烜䄽椾൹" Thorium.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Input Method\Hot Keys\00000201\Key Modifiers = "㌪샱㴸돂q抌굤\U0004bdcf䍰䚟펮慠括欑\ue409ꭗﮩ궢⩴妔" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-19\AppEvents\Schemes\Apps\.Default\Notification.SMS\.Current\ = "핲\ue678\uf542\uefd5쇦\ue69b䢈廎ŋᄲ뵷𥓨侂發" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Speech\Preferences\AppCompatDisableMSAA\devenv.exe = "⓸粚迒둸យ㳋까嫫楹⹎ᦗ䖞컫˿錖䥉" Thorium.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-19\AppEvents\EventLabels\SystemExclamation\DispFileName = "ན돲앋\uf3a9䂂庻㱸\ue831鹈㰫婸樘藥灥⁾鸻惮ﺂ斈ﮑ쾾坛魦㶴" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-19\Control Panel\Desktop\WindowMetrics\ScrollHeight = "䟛⺭榵᭛롎搪십\u1ae6잗寝뒙\U0010a71aᕩ" Thorium.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\firefox.exe\SupportedTypes\.ico = "柦ᰚ顙㺻劀䳾죄붫䍕紝萾\ue601ާ㔙諡呍\uaac3裥䉻㶱\ue864ᇼ\U00088871" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{212690FB-83E5-4526-8FD7-74478B7939CD}\FriendlyName = "挬沱뾆\ue428│苝榃ー䇭Ἴ\uf6d8忨썛媆" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{14DE3806-5D5B-405C-AB89-4AC936BCBF48}\InProcHandler32\ = "霉욞ᩍ㊌\ue105\U0009381f涁뛃見摒霟允튌ⵟ\U000cfc9fᤔ\U000d09eb牺" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "\ue0f3\U000b8b3c搘긿ﴑ涉읍망ﮍ瘰\uf626赛ᔖ㇘靿ꃩ㥹ᬅ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bz2\ = "룒\uf8e2꽜꧌戌宪訙쀅큧ﶥ榐䅴趖癄" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.tar\PersistentHandler\ = "㍥⣁慗\U00038338ᝇ궴Ὤ병䱂\ue47e" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{FED4ACC3-87C9-45E9-A026-5B59A855E687}\Copyright = "⋪䁐\ue4c5㏣蹽戈Ꝁ☛\ue4ed裏嗫ꘌ疗果禥ꄛ꼼" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3936E9E4-D92C-4EEE-A85A-BC16D5EA0819}\InProcServer32\ = "⛳窜劎㩋៱\u2069蚻ᙬ锗쀔虘\ue2b8桕\ufdcd㵕诩㴻\ua631" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppUserModelId\Windows.SystemToast.SoftLanding\DisplayName = "\u2e5e⇧Օ\uebb6⏐⮆\U000ea1be\ue43a䠀⎿뷜伯ꉄ즪붍ꥁ鼳\ue502灤" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050f4e1-98b5-11cf-bb82-00aa00bdce0b}\VersionIndependentProgID\ = "\U000426c8퀍郮䪢炮맩\uf0b5ꇈ\uf457譚\uecb4⩈訜첨" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000_Classes\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.Windows.OOBENetworkConnectionFlow_10.0.21302.1000_neutral__cw5n1h2txyewy\ActivatableClassId\App.AppXg4gma5adbcq51t954g3zyy8q4frw = "\u0ffe\uf2b5핢跈餕ⅴ䋥\U000155ee\ue690徧磍믶" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000_Classes\WOW6432Node\Interface\{0f872661-c863-47a4-863f-c065c182858a}\ = "Ꞥ䆺妎㪍妬\ua83e씠솶⤅摳㺜ꐣ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01FA60A0-BBFF-11D0-8825-00A0C903B83C}\InprocServer32\ = "ᦢ燪겣뽴ࢳ莿อ롏ζ楥텣瑱έ㨾uጚ﯀푶\uf17a㼩饠" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C941FC5-975B-59BE-A960-9A2A262853A5}\InprocServer32\ = "⎘㱃㧐伪\uf31e\u1cfd许轁빥敛" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4020D514-E884-42E9-91DC-E1F09004D3F0}\ = "ꑨ旜᭭仑ꏄ徕狒ެ븄呹⏅ᒣ✥ഡ䭜" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppUserModelId\Windows.SystemToast.SpeechServices\IconBackgroundColor = "ꈧ黶䃜飿\ud7ae叐䪾ਜ좖힍\U0002f729荽\ue9db" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{115e13cf-cfe8-4821-b0da-e06aa4d51426}\ = "ፔ𑦼걢⮌\uf0b2誳ྋⵇ뵽ꂁ턟猿蘍伬" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.midi\ = "蝨\uea05逇邺换\uf85f릂뛩ࣆ➰嶁헄ᏜẶꛆ悌붓⠍僟䎀螘ꁓ㰗ౄ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1fb2a002-4c6c-4de7-85c2-cb8db9a4f728}\DllSurrogate = "ᱻ㢘㏬ᎆ⯖\U000af0de턚橿咗\ueafdꟸ\uf28bꃛ荚促᫂\uec90灭" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A7E84C44-F0C0-44F9-A4F2-68B5EA50B200}\ = "ﺤ낑낎됅况\U000d5f32\uf1de紈㚍\ue343力鄐謀捎䗋ᖉ㿁" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000_Classes\WOW6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32\ = "遥뿥ᙊ坌\ue3b2햋\ue297㡢詣塗蓐ᖲ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F58F63F-244B-4c07-B29F-210BE59BE9B4}\InprocServer32\ = "葼\uf7f7㴩䭿ᬲ\uf533砀枨\uec8b\U000f11f1ꥭ孒\U0005b58aꏂM뗯㭈脹뤶ᛚ란" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C3B05FB-3498-40C3-9C03-4B22D735550C}\ = "\u1776ᕳ瀆ꌓ䳉孶옒鏼哿舂䩃ꕟ焊⎝" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1F046ABF-3202-4DC1-8CB5-3C67617CE1FA}\ = "웸郺N䩫ᤩ薈䙃Ꞥ뛢ᣵ遑" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3EE60F5C-9BAD-4CD8-8E21-AD2D001D06EB}\InprocServer32\ = "狣⬰ﴦ☤㗁\uef8bᄜ᜕즧幧惁㲫뱟을\ueaea赻速\ue81bﱤ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{549365d0-ec26-11cf-8310-00aa00b505db}\OLE DB Provider\ = "荅Ճᖸ䌣\u0b52聞ူ\U0008b1b2\uecb5捜弤엊땧뗲Ʇ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006D2EA4}\InprocServer32\ = "蚂压둕崦鸴ⅽꦄ\uf4cf쓘㔀濸ᅲ\u202a衺" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{026CC6D7-34B2-33D5-B551-CA31EB6CE345}\InprocServer32\ = "㌓갹⟉렒㦯㝆漽២시蕡劵\ueeb1\ue247ঞ韕駛" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000_Classes\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.CredDialogHost_10.0.19595.1001_neutral__cw5n1h2txyewy\ActivatableClassId\App.AppXhwyds4rk7x1n5d19trv30fn7fbe01fjx.mca\Ven = "즍\uf502ꬾᲞ켔\ue888峒߰컵波兩쁜\U0007398b忢⎪" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000_Classes\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\ActivatableClassId\App.AppX3yakgvx5b9nqwwbf8gyghjzfc8dksct4.mca\Vendor = "㉁꠫\ue8eeһ䄯烉鄪顡훱똠" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{323CA680-C24D-4099-B94D-446DD2D7249E}\ShellFolder\Attributes = "\uf124ኪ咡\uf7f1깮症쐄渱⬼ⶆ]鰍☍館呢薑깪寮얆먲櫘驀" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000_Classes\Extensions\ContractId\Windows.BackgroundTasks\PackageId\MicrosoftWindows.Client.CBS_1000.22000.493.0_x64__cw5n1h2txyewy\ActivatableClassId\Global.ExperienceExtensions.AppXv6fd1nnf5a00yg2x = "誚刼ڛ䖮螧\ue5f3鋐\ueeef\ufdeeゾ艛桼" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4062C116-0270-11D3-8BCB-00600893B1B6}\ProgID\ = "᪘鹧麠ྖ\U000a0c58쀇隕牡绹ﻹ੯댆⛦熑즾헗鵔Ꮗ" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000_Classes\WOW6432Node\Interface\{0299ECA9-80B6-43C8-A79A-FB1C5F19E7D8}\ = "䇸㪛ₓ縅淽\uedc0ᴖᙲ逸芸퇓ᅴ뺒驚盯阚嬂ꈅ瀴\U00088b35" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002000F-0000-0000-C000-000000000046}\InprocServer32\ = "蓘橹\uefd0襞۠\uab08맥Dž嫘窣掘风苰" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000_Classes\AppXtkjk7ve8gcvsz7s2y4kkf56wrmb5edr7\Application\ApplicationCompany = "氎䰌䊨摺叼\uf7edﴥ\ue684﵅弦돞ޢ륏恳ﰻ瞎큒\uf329텃䀅ᙻ" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000_Classes\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.Windows.XGpuEjectDialog_10.0.22000.1_neutral_neutral_cw5n1h2txyewy\ActivatableClassId\Microsoft.Windows.XGpuEjectDialog.AppX6pz4 = "\ua62d趶뿞䗵砡\ue499鿜⿻蜯奐" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4EE17959-931E-49E4-A2C6-977ECF3628F3}\InProcServer32\ = "띇垾原疵쒬材퉇ᜉ偽ᶶ\u0530\ue5fd甴챊ꪦ嶊缳䒰熟貅ꝟ籱ᄄ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.appcontent-ms\ = "㶏쾪ᾐ댿\ue2a3컲浤\ue638帥\uf732ᚂ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002E132-0000-0000-C000-000000000046}\InprocServer32\Class = "㬶\uf287霑ᔬ쩙㳥\ue93fꚯ釘膳蔹늴됓" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E1F1A0B8-BEEE-490D-BA7C-066C40B5E2B9}\CLSID = "\ue1b1퀚𗅦ᶇ\ueb55䈫ꨪ㸺ᚑൣ赠톦㘔\uef10便㍡秛芩葭ﻑ潥" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524153}\InProcServer32\ = "詴딴Ô䎴椤ݨ䤿衪Ὧ萍뷵瘭迶ꢯⳜᒸ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{45FD65ED-6BC2-47ae-B391-9E2B79F07C52}\InProcServer32\ThreadingModel = "\U000ea1edꣅ隸邢̞䮞湭䬩뻳꽬♦ꮢ䣈컖췼蔐ﺘ㊙삳싻\ue31f" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{573bdf38-df23-427f-acb8-a67abd702698}\InprocServer32\ = "榌袩\uf8c4詻ㆯ\uf45d\uf2e4䘯ڐ巧ಿ\uffc9햻ﱺ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.xhtml\OpenWithProgIds\xhtmlfile = "䠄ꐘ饫\u1f47䫐ﯣ︕쿜ⶳ걚᯼" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{6d8ff8e0-730d-11d4-bf42-00b0d0118b56}\LaunchPermission = "模\uf614㟥樲㲅ࢂ閭䳋鯧伍囯ꋜ\U00087f95辭䂉\u2003Ⰻ攛" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{7A076CE1-4B31-452a-A4F1-0304C8738100}\AccessPermission = "㦥ݾ啙殣黰띋\u1af4嫬豶⽁畡‣╿쑜" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BDATuner.DVBTuneRequest\CurVer\ = "ꙍ\u191f髭刞ୌ홿\ue7fb챑\u06dd㻽嗂\u2d6b箶" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03E7DAD7-17A6-4F91-A879-F276B6FD62F8}\ = "\u0590僤Ꟈ鰺䡙栫엸\ueb9e邞䲰≗\uf1ab\U00038b77ઇ䁯\uf4f3倈垃㴇䝌" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{5F5AFF4A-2F7F-4279-88C2-CD88EB39D144}\FriendlyName = "䂖\uee9aὼᑰ糖༭嚣筀됁痤癃燷\ue31fힺ載簍橫쌜禋僺" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0E59F1D5-1FBE-11D0-8FF2-00A0D10038BC}\MiscStatus\ = "规憻ཛྷ쐰봬\ueca5ꍲ\u07bf獊뮟\u1680芿Ⰾོ吷눃䚴" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{17FC1A80-140E-4290-A64F-4A29A951A867}\InProcServer32\ThreadingModel = "\uec7f铠ꋘ돂䯖辙햕\U000f929e㈜\U0007953f䀌㺞飯䳻ᰳ뺏" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00CA399E-4CC0-43D2-902B-CEA3D36DC9E4}\InProcServer32\ = "밚媸폻嶟à\u05f6ꠟ닓ﱦᑽ蟚伇髯휰늄쾿\ue7ac࿒球엑" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0b2feecb-1577-4fa6-9a29-bd9022ebcf90}\InprocServer32\ = "楳\uef9d쏳⽮큪ꏓ蚢竤輜䭅ꍺ\ue1db\ue1fc鸒" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{228136B0-8BD3-11D0-B4EF-00A0C9138CA4}\ = "妌\uecf4\U00038945旖꿈\U00085f80ɐᶬ鱕\u2d6c\uf484䮃朂\ue21c펛" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000_Classes\AppX4tfstxv315ny2wmswr55fgry1ym3yp3h\Shell\open\PackageId = "緼莕辯塃읍晜뭧韜꽫к⇗ᄭ\U000b310c\U0001ddfc㸺\u0b46\ue739㾣ꍏ㲀" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000_Classes\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.Windows.SecureAssessmentBrowser_10.0.22000.1_neutral_neutral_cw5n1h2txyewy\ActivatableClassId\App.AppXrtkg3ebdrtg67k8v75m = "謪샀鹐븸൜䏯\ue5aa\ue505ꚥℎ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F275-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "―\ufaf9쾖ਫᬖ㠨듀\U000f6473껜業㖌\ue1d7㞣꽌\ue8e8聏⦽" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}\LocalizedString = "튑錔俘콄㩚淵⤤や澢雴ퟄ\u0fe2祭" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58859c43-2c82-454b-86c0-9efb11e54838}\InProcServer32\ = "囂鵘㭪愝咑\U0010886eꩁ쾡\ue9fd\ua639뻂丄" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\accountpicturefile\IncludeSync = "닌ឞ⻩餭熒逓銈ފ셪靬" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ADODB.Recordset\CurVer\ = "\uf05b줆㵧\uf84a恟臭ቀ猴啧㻄\uaac7菷蜉弐\uf12f㑟㿤뗖㳼꩒찊鱭" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{289228DE-A31E-11D1-A19C-0000F875B132}\ = "㕌\U000e8256ॶ뀊틲鋃譅㘯懜\uea04\ueeb1ⶻ돒\ue72e#㩩絰" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.aifc\ = "栔왒밒魫\uf4ea⋄賋鰊濧㯅\ueb26획റ⾓䲂ㅩὩ秹ឝ" Thorium.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2364 Thorium.exe 2364 Thorium.exe 1408 Thorium.exe 1408 Thorium.exe 5576 powershell.exe 5576 powershell.exe 5576 powershell.exe 5576 powershell.exe 1408 Thorium.exe 1408 Thorium.exe 5000 powershell.exe 5000 powershell.exe 5000 powershell.exe 5000 powershell.exe 1408 Thorium.exe 1408 Thorium.exe 5088 powershell.exe 5088 powershell.exe 5088 powershell.exe 5088 powershell.exe 1408 Thorium.exe 1408 Thorium.exe 2216 powershell.exe 2216 powershell.exe 2216 powershell.exe 2216 powershell.exe 1408 Thorium.exe 1408 Thorium.exe 5076 powershell.exe 5076 powershell.exe 5076 powershell.exe 5076 powershell.exe 1408 Thorium.exe 1408 Thorium.exe 4508 powershell.exe 4508 powershell.exe 4508 powershell.exe 4508 powershell.exe 1408 Thorium.exe 1408 Thorium.exe 3468 powershell.exe 3468 powershell.exe 3468 powershell.exe 3468 powershell.exe 1408 Thorium.exe 1408 Thorium.exe 5108 powershell.exe 5108 powershell.exe 5108 powershell.exe 5108 powershell.exe 1408 Thorium.exe 1408 Thorium.exe 5808 powershell.exe 5808 powershell.exe 5808 powershell.exe 5808 powershell.exe 1408 Thorium.exe 1408 Thorium.exe 3048 powershell.exe 3048 powershell.exe 3048 powershell.exe 3048 powershell.exe 1408 Thorium.exe 1408 Thorium.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTcbPrivilege 2364 Thorium.exe Token: SeDebugPrivilege 2364 Thorium.exe Token: SeTcbPrivilege 2364 Thorium.exe Token: SeImpersonatePrivilege 2364 Thorium.exe Token: SeDebugPrivilege 5576 powershell.exe Token: SeDebugPrivilege 5000 powershell.exe Token: SeDebugPrivilege 5088 powershell.exe Token: SeDebugPrivilege 2216 powershell.exe Token: SeDebugPrivilege 5076 powershell.exe Token: SeDebugPrivilege 4508 powershell.exe Token: SeDebugPrivilege 3468 powershell.exe Token: SeDebugPrivilege 5108 powershell.exe Token: SeDebugPrivilege 5808 powershell.exe Token: SeDebugPrivilege 3048 powershell.exe Token: SeDebugPrivilege 2696 powershell.exe Token: SeDebugPrivilege 1148 powershell.exe Token: SeDebugPrivilege 2112 powershell.exe Token: SeDebugPrivilege 5956 powershell.exe Token: SeDebugPrivilege 3720 powershell.exe Token: SeDebugPrivilege 1196 powershell.exe Token: SeDebugPrivilege 880 powershell.exe Token: SeDebugPrivilege 1600 powershell.exe Token: SeDebugPrivilege 4164 powershell.exe Token: SeDebugPrivilege 5012 powershell.exe Token: SeDebugPrivilege 1944 powershell.exe Token: SeDebugPrivilege 5892 powershell.exe Token: SeDebugPrivilege 5408 powershell.exe Token: SeDebugPrivilege 3148 powershell.exe Token: SeDebugPrivilege 4116 powershell.exe Token: SeDebugPrivilege 3084 powershell.exe Token: SeDebugPrivilege 3336 powershell.exe Token: SeDebugPrivilege 1516 powershell.exe Token: SeDebugPrivilege 404 powershell.exe Token: SeDebugPrivilege 5688 powershell.exe Token: SeDebugPrivilege 1464 powershell.exe Token: SeDebugPrivilege 2144 powershell.exe Token: SeDebugPrivilege 960 powershell.exe Token: SeDebugPrivilege 5212 powershell.exe Token: SeDebugPrivilege 2008 powershell.exe Token: SeDebugPrivilege 4048 powershell.exe Token: SeDebugPrivilege 4888 powershell.exe Token: SeDebugPrivilege 5140 powershell.exe Token: SeDebugPrivilege 3540 powershell.exe Token: SeDebugPrivilege 4104 powershell.exe Token: SeDebugPrivilege 1880 powershell.exe Token: SeDebugPrivilege 5872 powershell.exe Token: SeDebugPrivilege 1608 powershell.exe Token: SeDebugPrivilege 1524 powershell.exe Token: SeDebugPrivilege 4264 powershell.exe Token: SeDebugPrivilege 1788 powershell.exe Token: SeDebugPrivilege 4824 powershell.exe Token: SeDebugPrivilege 396 powershell.exe Token: SeDebugPrivilege 5816 powershell.exe Token: SeDebugPrivilege 1372 powershell.exe Token: SeDebugPrivilege 1508 powershell.exe Token: SeDebugPrivilege 4880 powershell.exe Token: SeDebugPrivilege 5560 powershell.exe Token: SeDebugPrivilege 1736 powershell.exe Token: SeDebugPrivilege 536 powershell.exe Token: SeDebugPrivilege 4656 powershell.exe Token: SeDebugPrivilege 4844 powershell.exe Token: SeDebugPrivilege 3044 powershell.exe Token: SeDebugPrivilege 996 powershell.exe Token: SeDebugPrivilege 6064 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1408 wrote to memory of 5428 1408 Thorium.exe 81 PID 1408 wrote to memory of 5428 1408 Thorium.exe 81 PID 1408 wrote to memory of 5428 1408 Thorium.exe 81 PID 5428 wrote to memory of 5576 5428 cmd.exe 83 PID 5428 wrote to memory of 5576 5428 cmd.exe 83 PID 5428 wrote to memory of 5576 5428 cmd.exe 83 PID 1408 wrote to memory of 2848 1408 Thorium.exe 84 PID 1408 wrote to memory of 2848 1408 Thorium.exe 84 PID 1408 wrote to memory of 2848 1408 Thorium.exe 84 PID 2848 wrote to memory of 5000 2848 cmd.exe 86 PID 2848 wrote to memory of 5000 2848 cmd.exe 86 PID 2848 wrote to memory of 5000 2848 cmd.exe 86 PID 1408 wrote to memory of 3160 1408 Thorium.exe 87 PID 1408 wrote to memory of 3160 1408 Thorium.exe 87 PID 1408 wrote to memory of 3160 1408 Thorium.exe 87 PID 3160 wrote to memory of 5088 3160 cmd.exe 89 PID 3160 wrote to memory of 5088 3160 cmd.exe 89 PID 3160 wrote to memory of 5088 3160 cmd.exe 89 PID 1408 wrote to memory of 5180 1408 Thorium.exe 90 PID 1408 wrote to memory of 5180 1408 Thorium.exe 90 PID 1408 wrote to memory of 5180 1408 Thorium.exe 90 PID 5180 wrote to memory of 2216 5180 cmd.exe 92 PID 5180 wrote to memory of 2216 5180 cmd.exe 92 PID 5180 wrote to memory of 2216 5180 cmd.exe 92 PID 1408 wrote to memory of 2296 1408 Thorium.exe 93 PID 1408 wrote to memory of 2296 1408 Thorium.exe 93 PID 1408 wrote to memory of 2296 1408 Thorium.exe 93 PID 2296 wrote to memory of 5076 2296 cmd.exe 95 PID 2296 wrote to memory of 5076 2296 cmd.exe 95 PID 2296 wrote to memory of 5076 2296 cmd.exe 95 PID 1408 wrote to memory of 5440 1408 Thorium.exe 96 PID 1408 wrote to memory of 5440 1408 Thorium.exe 96 PID 1408 wrote to memory of 5440 1408 Thorium.exe 96 PID 5440 wrote to memory of 4508 5440 cmd.exe 98 PID 5440 wrote to memory of 4508 5440 cmd.exe 98 PID 5440 wrote to memory of 4508 5440 cmd.exe 98 PID 1408 wrote to memory of 2232 1408 Thorium.exe 99 PID 1408 wrote to memory of 2232 1408 Thorium.exe 99 PID 1408 wrote to memory of 2232 1408 Thorium.exe 99 PID 2232 wrote to memory of 3468 2232 cmd.exe 101 PID 2232 wrote to memory of 3468 2232 cmd.exe 101 PID 2232 wrote to memory of 3468 2232 cmd.exe 101 PID 1408 wrote to memory of 3000 1408 Thorium.exe 102 PID 1408 wrote to memory of 3000 1408 Thorium.exe 102 PID 1408 wrote to memory of 3000 1408 Thorium.exe 102 PID 3000 wrote to memory of 5108 3000 cmd.exe 104 PID 3000 wrote to memory of 5108 3000 cmd.exe 104 PID 3000 wrote to memory of 5108 3000 cmd.exe 104 PID 1408 wrote to memory of 3008 1408 Thorium.exe 105 PID 1408 wrote to memory of 3008 1408 Thorium.exe 105 PID 1408 wrote to memory of 3008 1408 Thorium.exe 105 PID 3008 wrote to memory of 5808 3008 cmd.exe 107 PID 3008 wrote to memory of 5808 3008 cmd.exe 107 PID 3008 wrote to memory of 5808 3008 cmd.exe 107 PID 1408 wrote to memory of 3780 1408 Thorium.exe 108 PID 1408 wrote to memory of 3780 1408 Thorium.exe 108 PID 1408 wrote to memory of 3780 1408 Thorium.exe 108 PID 3780 wrote to memory of 3048 3780 cmd.exe 110 PID 3780 wrote to memory of 3048 3780 cmd.exe 110 PID 3780 wrote to memory of 3048 3780 cmd.exe 110 PID 1408 wrote to memory of 6048 1408 Thorium.exe 111 PID 1408 wrote to memory of 6048 1408 Thorium.exe 111 PID 1408 wrote to memory of 6048 1408 Thorium.exe 111 PID 6048 wrote to memory of 2696 6048 cmd.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\Thorium.exe"C:\Users\Admin\AppData\Local\Temp\Thorium.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2364 -
C:\Users\Admin\AppData\Local\Temp\Thorium.exeC:\Users\Admin\AppData\Local\Temp\Thorium.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Checks BIOS information in registry
- Checks computer location settings
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Event Triggered Execution: Netsh Helper DLL
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Control Panel
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5428 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5576
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5000
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5088
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵
- Suspicious use of WriteProcessMemory
PID:5180 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2216
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5076
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵
- Suspicious use of WriteProcessMemory
PID:5440 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4508
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3468
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5108
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5808
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3048
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:6048 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2696
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵PID:896
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1148
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵PID:436
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2112
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵PID:4072
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5956
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵PID:1208
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3720
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵PID:5920
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- System Location Discovery: System Language Discovery
PID:3836
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:2364 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1196
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:5668 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:880
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵PID:5968
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1600
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:3164 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4164
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:5620 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:5012
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:2268 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1944
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵PID:5048
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Suspicious use of AdjustPrivilegeToken
PID:5892
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:4212 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5408
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:3028 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3148
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵PID:4084
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Suspicious use of AdjustPrivilegeToken
PID:4116
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵PID:5480
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Suspicious use of AdjustPrivilegeToken
PID:3084
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:1080 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3336
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:1920 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1516
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵PID:5476
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:404
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵PID:1972
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5688
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵PID:3512
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1464
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵PID:5320
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2144
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵PID:4604
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:960
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:5176 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:5212
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:3616 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Suspicious use of AdjustPrivilegeToken
PID:2008
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵PID:5700
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4048
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵PID:4076
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4888
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵PID:4904
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5140
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:6072 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3540
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵PID:4352
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Suspicious use of AdjustPrivilegeToken
PID:4104
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:4504 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Suspicious use of AdjustPrivilegeToken
PID:1880
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:5972 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5872
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵PID:1200
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1608
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵PID:5460
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Suspicious use of AdjustPrivilegeToken
PID:1524
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵PID:2396
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4264
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:2020 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1788
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵PID:3076
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4824
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵PID:4456
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Suspicious use of AdjustPrivilegeToken
PID:396
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵PID:5268
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5816
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵PID:3704
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1372
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵PID:960
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Suspicious use of AdjustPrivilegeToken
PID:1508
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵PID:4864
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Suspicious use of AdjustPrivilegeToken
PID:4880
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵PID:3664
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5560
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵PID:3344
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1736
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵PID:2312
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:536
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵PID:5840
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4656
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:3640 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4844
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵PID:4104
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3044
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:3144 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:996
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:3948 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:6064
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵PID:5772
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:5216
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:1524 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2108
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵PID:4264
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Drops file in System32 directory
PID:2688
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:1788 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Drops file in System32 directory
PID:4216
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:3360 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵PID:1292
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:5688 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵PID:3120
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵PID:5652
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- System Location Discovery: System Language Discovery
PID:1088
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵PID:1372
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4396
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵PID:4540
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵PID:4984
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵PID:5304
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Drops file in System32 directory
PID:4196
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵PID:5164
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Drops file in System32 directory
PID:1628
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:1668 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Modifies data under HKEY_USERS
PID:5676
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵PID:536
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵PID:4484
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵PID:4856
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Drops file in System32 directory
PID:4108
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵PID:5484
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵PID:2452
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵PID:6028
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:232
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵PID:3988
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5040
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵PID:6128
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Drops file in System32 directory
PID:3048
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵PID:5024
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Drops file in System32 directory
PID:5432
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:3376 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵PID:3776
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵PID:3208
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5228
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵PID:5948
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:3864
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵PID:2840
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵PID:5916
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:5232 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Modifies data under HKEY_USERS
PID:1856
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵PID:5708
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2576
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:3756 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Drops file in System32 directory
PID:4368
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵PID:5068
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵PID:5132
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵PID:4692
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵PID:4696
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:1628 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1764
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵PID:1044
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Drops file in System32 directory
PID:4000
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵PID:2512
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Modifies data under HKEY_USERS
PID:4340
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:5892 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2084
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵PID:2452
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:3332
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵PID:5504
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵PID:1452
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵PID:4588
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Drops file in System32 directory
PID:2696
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵PID:1112
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4256
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵PID:1612
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Drops file in System32 directory
PID:1400
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵PID:560
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Drops file in System32 directory
PID:3584
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path3⤵PID:1012
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 23644⤵
- Drops file in System32 directory
PID:1864
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 9483⤵
- Program crash
PID:4556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\oobe\images\浡挠湡潮⁴敢爠湵椠佄⁓潭敤മ$1⤵PID:2152
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 쓪똔药๚ㄭዉ嬞1⤵PID:1900
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 䲩뿕덽羢徺彼堺1⤵PID:5324
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 멢赇┼⡟앳ኢ熑ﵢꟂ䬢岫⡑镾釢䱂㹶꒫㙷櫴煉1⤵PID:5908
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 鍧┫ﮟ醓뙶ɏ㺙䌝皦䢦1⤵PID:5500
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ܋⦅ꉼ었⦕ꤔ이Ꮷ㋢﵋1⤵PID:1740
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1408 -ip 14081⤵PID:4572
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Event Triggered Execution
3Change Default File Association
1Component Object Model Hijacking
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Event Triggered Execution
3Change Default File Association
1Component Object Model Hijacking
1Netsh Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
9Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize1KB
MD5e080d58e6387c9fd87434a502e1a902e
SHA1ae76ce6a2a39d79226c343cfe4745d48c7c1a91a
SHA2566fc482e46f6843f31d770708aa936de4cc32fec8141154f325438994380ff425
SHA5126c112200ef09e724f2b8ab7689a629a09d74db2dcb4dd83157dd048cbe74a7ce5d139188257efc79a137ffebde0e3b61e0e147df789508675fedfd11fcad9ede
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5376a78c42dd21c47f04b7ea40478eb98
SHA183407fd533237032f573e65275fb09c13214c338
SHA256e4074ad0a6e28b9e5f3c63710f9e63f232039d9e10196f8097f242b4ad2f3383
SHA512adca3d6b089bf02a40ae29c4cb5821c37788d933250265309d4020ed254c6112c8cbd03bddbdcf9c1bbb6ea51e14c1e058f4df0de81d37291fc8cc40a556847a
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD56da6be01fb06ab121838f6ebabff7c30
SHA1d56471925f4c20eed6b46cf6ef3ae2ed2090f169
SHA256bf300254a69e95a95c485db7f71d6edb84c7c27b3e797d8e801da378e63c91f5
SHA512d8caf8fec4eb6c214d09b22a362767ac5fc5025287496f96f84961e73dbd2a4671c9bdf632e7423f08d765d41d99b55fcfe0d3e052cbcde9121a2e9869f727c6
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5c8f7fc479884ee669045389fe30c52f6
SHA137db640d09b5dee7be2ad1c6ba9320b0f0b43921
SHA25670d05fd23b8424d01e981d4e9a6eddc840f21c6433e1b689094e447cd9175d6f
SHA5122aad67665cc6ad7bcaeb6a892d161d6e6d38ad25e18f14621279f1853bf3ee3f0ad9d8daab6f54296f637c41aa166e8c9bc40bace3f2b0263fb221a06617b537
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5eb7a8f54ab4c0f9af2732d61c2e476d8
SHA14e01bb56ae9cc11fbb86e7d8bff7856e654f25c1
SHA2565ca5078ab9ca67d6a4efb40c57102e4b33941919250bb5f710edb6c0e6cf375e
SHA512294561af3eb32db05472dd552fab50d3b451f079a89c47200bd5c2b06be39db4c65edf0356beed10d156c972309e75631d9d7b942bce5f52d6b6dc18e4ef62f7
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD53bdf2d9264d8ae187116462ad18307a1
SHA1bd245a7cdffc045765e793a16f630135e59eea4a
SHA256c4424dee00cfec62c0ffd3a63807492656b1ab952f3332225d5f8a140f21b2fc
SHA512da45f7c7be1f7d767bfe6993cda1493dfcf8f4abec64760000a92ef9c440c51887eda8c9d3183cd6ef803757bd6876c33b46c44580d250a99d0c993ee666feac
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD52cd5954215dca550d54c023b971d16c9
SHA1fd328c99965fb7598d42e7303b5efa90e249b0bb
SHA256bc5e245c38aad0eb7b023c4ba2005c6d1f72b6d1d38d3633371257899b6f8378
SHA5120343a98ec69459a0908f3b5513d2515f437a68b28b273717ace5b7deb7ceb96c837b13dc19006777f7977c1935d5b0f32a0cb41ca181b25f4d75162847b44013
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD508c144fb5731dbbd8aebf23a30f349cf
SHA1d9ae2546a10f9b806262ae61d1c5b3b53bfb1530
SHA25693a6e30716ab0d7a311ffc9ab50e426243ddd55e7768da235c3530e756fa44e8
SHA512c35cbdc18891797491a1633deb8eb202624f5b14900840636654c460b9a61be696f0dc5ad7f023309c9edb7fa5b6f69a164680b3ab76c41db68c6f8aa2d984a5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5aadf27a4a49675f35f5af7dff555bfae
SHA14764572b20ac0ee6d4d3a419fd36ef594b444582
SHA25640bcc4a3e8c9ed030c104b0b1b24579ccc76dd8b7d7fa7df9ac7fd32927bfeee
SHA5125532395c2b5fff7d6f6067b664be4a5fd9afd61fc2fdcf5dd6e368d4a0fab81420fa2695d1c1bee365c4affc8ff3928443a054de8391c36fed6fca75ed7f66c0
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5f7eb297e1b37cfbe175b3fab4de87fb8
SHA1d7acf2b1c9d0ffe06249e7764cb4b1835a00c29a
SHA2566bf4397ed50561ce7a25991a0d2d9da3fd2d875445b4b6c1fdcbea78e6bb7639
SHA512bf3befe91021b90caf4e6063f54830c0df3878ad89b77446a3a270d7e17fb87d792b355f4bc897d428e40c807533536883a55ae8efc4ebac05c532997a362704
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5d0a6b6e9dd5bed2f2475d66df4fa3ba4
SHA141d8205cb99ea1a17e70f19520178ba36dce3e99
SHA2569a8489b2f5e809e51f095ea5ed2c2a462d267c655776f4b2ecfb8dd03bbe6318
SHA512076f6ca143bdcbca536177501efc94dc3c84e1848fb634f313e6b7d34b2414e005b2f5037e9a3359306cf22cfd4a0b6a193f7359dc9509b5248a52919abe7191
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD58682b2472f84fd3f310c8f75ad61b43e
SHA1736f6371b68f945243288cffc8c21ac85aa2edb8
SHA2566ee8028578e1582d9acabcc6bcbeb89b38fba6fe6aefbc780a2babbef702db37
SHA512d2ec5fb22e4261cef8faeed9d9898fc79a3d5741627051370971d3f6f3daeffb357ce8e345ef2a3ed38241025c4b276a95e9b2193cb7d74b14ca4185930e42f5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD51f1f8686662d8344bdbee7e7f81e6307
SHA17bb2b0ce8eef53c26e3f6a75536d565ed784859a
SHA2566926dcf9a204a581b4c7d62050b0818a8fac89bf79094183e6c50f53c4bc93fa
SHA5122d721309d3e348138c3fa08d3bf7949fecf7dbf177af12503d63a34c436b4823473289c0d62becda7433133c5235e3717446f905eef6bfcdfc9909fdaaf54df5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5a302af9be80aeb7874be2deb0a7444c8
SHA1926b40dc0adec67a7b5b9df15cd87d52db534006
SHA256797ad19a352acf06dfc3b4e018724c186c01ebbc021bb2f54d13d5e585fa0cdf
SHA512485b2c3f8f057c70a38fe0dabb228fade12acd5ad8715a9482b0d5085f9322c649000c13710d6131bde46df3c586072c3e11d5cf00b583a0abfee87c4b8ef155
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD53781d35ac290f616dc25ef7ca8174dd2
SHA1d697871cc802ff690252b69dbb3bc4b9f51acd89
SHA256b117469ff3a3a727247c0a834bb55170eee0260c89f9ece3e71d00ad74c1b324
SHA51240e3af3d40aa3baa3b8764078fb67efc6e244983593359df01a99eb3dd6e29dca3f71c53c74094263bddb733bb56bd2249f4e13fb28cb6accf8bca79216e9626
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5888031cc38b7b722c6e8b59370562c02
SHA1c9cd4e50faba3be6d406889430fc2c41b2ac96c9
SHA2562925d11791b3b12f1a99d39d98c6b56a941e2aac86139d0ca0201bb186247a4b
SHA51261668e01a482f0a5f712f447a214d3f91af9b93b53276384c57dbfc988e09d6e361a1dbc5cb35b679d8482f72221e6cf6259a932f97ecb1018a02a31ae6657ee
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD56d3c45f724bb40e8f87a7a54046c3dc0
SHA13083e66d8646ee13bfa1378eb255842802148bf8
SHA256a5475b5ff7721e216f9ee94cec287c6041fc654e64527004a0e27afe708195f2
SHA512b8b9ead5e1fc92ce21a9620cfc0e08e6d883bc982012a91f9d281133fcaa9433cb1ecf50366b70c7907c57f2189542d36efe798f2e0c10ac5826d3aab0874eef
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5de3e5bcf51659f589a3fb0fbb306c2b7
SHA1a28978e45a6c23a81c8780cbc132123e457bacc7
SHA25696e0ffe25061ffc37a6dc918f7aee05f91a4707c3909c10974c37e73a93f2e76
SHA512d6040ee0f3d52df8e30e30672993089b593e7dea937ad51d13b3741aa58fca2a2075a823b876f31036cecb6d41461e266422fe5da40584623e2742add5568e2a
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD58021a6faf7ca3c41c2a6a818e93f452f
SHA149a261075e7ab3429f0d04e4f9822dff2a66113c
SHA2561a034ff0032e03ffb699ee44d19aa8046daa94700fa1d6a248637e9581267eca
SHA512ea03fab4acea186e58401153dee2a455c851f18604dda9e4d87635d1a13198c8efd341ebeec66e9ae15ed640560c9511a74c63a69e2beb609821b91254a92e4c
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5b6c2097b89792a51aba8925176e635a7
SHA18a5ece4e51ffbcd150cd87392e974d8336ac6d97
SHA256e35c926fc769469d5fe8e632cfcbdd9bdfa4830c2c950acf49e979e627e8f770
SHA512ff51f38ee4602b605a58ad78c2fdb84f28d07755a2d343d36a3f69c77abd68b66a3dd0f8b5679c9cf6ebc4b41c5379cd949d80e273d7faaad7fc01cc4a0954ff
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD58cf24c4af42742de34d86b4d60caad7c
SHA1c55e911f5e628a557ee2e051dc00216d769b29df
SHA2560661d85e75d5f152d3c4a7cac1ce26236e7dbac4082a0ed5b65b8e1610e42dbb
SHA5121331979275a309c1f9c60858c1d688375c4725348175e99bea489f4a7c9347ac6ec21dd5c26cc9de5307b3cdd9db6d7445ceae89b377405421700b8101007153
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD515fb97dc4473e4f61ee7e5838bb45f81
SHA13764da53da5a3e59ec5cd4675acb36a5bacc8046
SHA256db81e9da12b8982733b53c398e015bf67ca1ea023f22cc05fcb43d7ab922e081
SHA51215671fc026590e460c434fcc7e414fd6ab2afb4b0d7b68929602f3b7492978e0caf234f12bcd6e086f9d71dd80039b99a3c300cbfe08533976cb12a90a3fa5a6
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5e8753d0e521e02e125c9a35a99823431
SHA100b0b302099c9de64ec484457c573c6d079dbfad
SHA2565cb24b6864f8f38fbb46265e85206ce16e3512b12f3d45898e783fb093ce6309
SHA512a665d86c4b98e9a01e6111887687a12e3e644484813d85125c3811b43d42ba54b935c5d8dcd7f94ae840cf7119d9483d4ffaf773193e11fcea49f03a325df458
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD516a0cdfe31a7a2fa15462f170dd1a79b
SHA1b5050fbd2002ab5d5b0d962c082d0cc6ae08f49b
SHA256c32c5d7cff30d3329b7aa123d38a0f6969279e7a70b0b1603ea0d72ab0713f28
SHA51209136418c3a777bc68f93c3bd75892a8c364cd84eaa55e7eb77bd6841cb679d78e11f80914fa0dadcce01167ac284515d73706e758e0a202b2dacee2025ba49c
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD55478eb4d645ce6cf8c34be223269d40d
SHA15f6e1ff77edf84667bb5f4b238dd78df66aec12f
SHA256aeb28fd54de53e323e30d4c087164eb39855035c8b6daf296682dfd805f5404b
SHA5124618192f91c3a6f9c62f025cd4fbe8168270f7a56931a204aa344162347ddef369bbc14d440154436ae26e4e8d10ab8bb4e778477a197fa53e51bdeeda0e7e1f
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD56c9afda6e856e08433097d56a85683e2
SHA1587331a64f0aee7ddf395ce07440cbeab2cca549
SHA256704b40cc2c8f863fb6de709176679b8bb66d944c5acf86be21eb538ca501be9f
SHA512d4da70690f9a2e2f2de0224da03e51bf79480a6431bda23c07dab06c3653913e5d64f44577c3bf95100eb61b15e3a08cba82924b86d9cfb09876b3c0c0a0f5fc
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5ee512969fd8d047322923d1455d777a3
SHA1bb184520f63d6196fafb7424f8fea428bccb1ac3
SHA256f280bd3822c9d87b07e13086057d0d407f135f9ebbfbc78f63df6d15fe7183a7
SHA512c4931bdf05c3c903c9f18db4cdd6b1382b48ced778e41924fc7c9e9ab74c3858039a49d6ff2fd722e3462bb3e9c18c789e7ea83443f38fa7764bdf62083d8821
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD598047991bb6242110afec81c2c80849a
SHA1a9155681abcfc0473f1b1cca1368307ad07b698e
SHA256609819daa6dbac554a87fb2c14f3037a7e72c64189ba6c7ba69a6de7a4a1e611
SHA5122b3488a7f42a74db233b4249b60521fde60d6eb84b1b6e8ca29da1fb49c488bfcf608ee992060a0eaf75f6c1aee55f76ab3e7096b08fe35b9ed635df8c1fb75b
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5191dd4839ea254e770cd74d23ce21b0c
SHA1a379de171ac9955e7aaff3004f97a7ec05ba07b4
SHA256dc6a65bace739ddd5d35af8d9f0c6566debdc7335f22540d27f08b374499bed4
SHA512011250f58d614ad163052f717042fc9bca27f193cee2eb289b87a192c690f5566db5d53dbf7af34ad39f51bd4c79a8a5dd2a451fa4ef9b60c8e2e9eaadc28e05
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5fd4e48335a8f3b630181c64decadcf0c
SHA158e9fd9fa9b1f35bc43b824772fcc3cbbc989976
SHA2562efcf7cf330ca919707b6bfd9abe107e95cf85454be4908b96d77fcdc26d3b56
SHA5123cd5d66fb992050cbad6ecd0314735f6e067eac795d71a240b6ae7564e477eb50601669812b8a1bfc382868f8aa450709c26365308a91179afbadb3385a94abc
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5f5633b6fdb00af6607ab845c98a2700a
SHA1b4c15145657093363cb05a36461b2b4162de5bd9
SHA256e576cc06446553840c2a97c906e2af8a960fcb8587023d8629b46d50e625d1ad
SHA512fa15d90442129afd031f86850a99f60d780e5bbb6b5a6ce1cebe96aec7a3f7479cb5c83d894a4fd42f35fdee19c01ed61f68d580a2a98979d4f758cb86b7346a
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5cd43fd50d4b7af2b3b2383b81369c5ff
SHA19775da426390fbd883f3baa52a3876903f442f75
SHA2566ec2aaccc0b4c5ba0ff3ae73cf0d2499e53640c44767bf58dfd56b299d8e1a90
SHA512e684d00785e544ea39fb92dca2162f59ea884ec3899281c976227c228bfa40b0ea6343b182b1b98db48ec0f078f36823544d6c635438d6b103686defe4d55990
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD52fa00569edf70b81eb773f5c3df2eca6
SHA1ddcc2bd57673896d8e7e5904d59d8ff88d93f6fa
SHA2563c5db275f79d29f9922ad12ccafbe866f7449841de1576608ef1516f0704488b
SHA512e6d01a91971b2a25f48357a44316a88e1de6f4262cebb4c472a2d18d5b3c7d7286563fc13b5834522776ab27014bfba95092467942ab965c42585c9c73f42a7a
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5d7170b4be3fd15ddc8f45ae0785f7a2d
SHA12b047fb3556e28cb32587b9eb38f8b9d6b8fb75d
SHA25696d587c37b8902e9c39443b0f3f21c867322e608a6ef5694aede49bd58e7dd4c
SHA512f68d6643fae6da4f776962a2da7bb334dfb49ea05323b195fb05c494577e6bc8bf4223c199bc6fff11493d37f2a7ff935ad56547786ece77022b7b96a77e69e8
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5d75e594b0dd0ca74affadf1109691a72
SHA18398d3c67c039646d4f1984515320fe1dddf82d4
SHA25682e5f60bca568b0fc438120881ee0a726cb09386fec4818b87bf429f9ef6559b
SHA5126fc0617517e2956a96d9c4efb4061a701d10bedcdabfd439e802f4fb3cbcb6a7c74fc429870cb2bf37a908a4229873d3e946f0eafb6e22f2c5555e4474c34009
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD590806d556573e2c869ed4321d2bd14c3
SHA1115ee0fe557bd27e1f280dabe103f340a5b4af46
SHA256f0cced39bb42777170ebe03ee6407ac88a228252a9d6fcfc4d9677540788c90d
SHA51248d35d034f8f6ce25ef9152a3998d52756eb0c94932e2e829aa2a141d36407dff2aa50a9c41048cd1f548e948980a1c7e5e853ce58e4ef51fda0440f1d3f6081
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5dc9034a7b108c693c6e3ba3c619eaf90
SHA17944e99264a97b72ce10136f64ab4e6d362c4643
SHA2567df9e6ab28023f592fa537fdd2dd05b7fe7a8b6d1b874819554048569c0de12b
SHA5120df494694cf7d3d6093328581b89709057eab12ed2d2abf22c6bb1916c218d25b61609e8c1b61fe0259b562cecdd66a08b520bb2d5f720ef3ce4ae843bc70272
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD54a2787069d8c0d3fc368f46cba78e036
SHA13e98fde45ae59256ce19c83cc23e27de5eba4be1
SHA25697bdaec935c6e50e7f2616dc923f7e7dc9f43a52204360c39a2d8bb9fa4ed60c
SHA51221ea5b411a92bab2a9394f7648d8ee18f611d10d58d722a250e3009bc2b7659ac2b837f994a803f77931d3643a01ed030e4f03cfc7606ab62fff9a11b3bb7489
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD571f9f9014626ad76d8b3fbd1af20d976
SHA1a7295d3250053d8fce0c3f714a8a1a9318e87189
SHA256d54d97788691060aabe8f259df0aa6250d6e110eea446a8f5f460aec2ddee693
SHA512d5ba746f3bfb445efb9df50c8885072d9dfe278d0d42c7ceb3ea7e75daebbffb7967a18f1d2011c4976311fcde82b6a00ab9b9c04900abc739f725cd5474744f
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD54e192307cdc099a2010d15314ab96a54
SHA184ba86aeeab4a00b59c520d0ec69649a5fce7495
SHA2569596ed362ca7bbc9deafa37111a18d0bed367cd74b155f4ee382d53cd3216bd1
SHA512cbbdafa8f93c134ec11147b708b40489acb78f4ede9ae54e5cce8521971fa8710636f81c8d5f278e881f48a776c0ccd74ee38cefe4bd2762167de5213ecf5f61
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5d7eefc731ac53119bdfd20594eb45eeb
SHA1536b25c81b914cdd9e8e3198a7433d649d13856f
SHA256e1fa0db1f0a7edc648d8355ca0b40c24ed41fc36012ab132218bee7a62eb9970
SHA512cf8585734ca75c65253294c317001ffa70b474e8abe204aed68a10826f311f806ee25ae795ea9ca119156618d833b7b163fec9fd443af953c18ed6752da8ec6a
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5b7abcba3d8003e65c69cfbbe3dee403e
SHA1f478781b41f7cdbdd0cefb17d91d0b89ec3e47fe
SHA256d296ef09fa0938e16e7a5d29870c3b3be8a7454d649822f1457ea10e2e70ab34
SHA51233e31839567279a36513d6acf46101a63d119ec980d199a528aa746bfd441d2afb6f2bbc61ecb97c2c9e24565f35c41c5b2cb242b52c18569092b3456f70c5b6
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD514eb9bf1fdfbbc3e49d7676f3e92c805
SHA1e1b6555106c580842423683d4b43148cf8b9f228
SHA256fd2b74e95cb9600832a3922153214377adedc2b298c275e334fd8af71545ab9d
SHA512f38a8a4eefaa8b236da463dc0536ddfafc4746c2e6efabdd3f4960f61100fca1dabed3f04b733f88fd3bb8f3caf2aaccb45d364cbc3389942cfca446e9f2cc84
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5fe35986aca10afeedd70bdc55f526a75
SHA146029547c2f2ba9deea1eef5aa69c4f99dc866db
SHA256edd34addb464cc9e79960f292abca14eaea6a9f965ce79705a63ffd00b03230b
SHA512d8d9c6acde46f7d847dbce1ad022e479910754647c3f7af6dbf7709ad6f4b66f7fd78f693e68a35d5191e68f1f2bfef57c898be63a034cd0748c875f1e7bb837
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD53804f9a1f10bcbcb89fd36b9626a7be2
SHA19a7ecb8cb4876057eb2136c85b9729c4ae22a9a0
SHA25678c9e49d306be3338d3264dc7348cecda2a1f615b499875bf1a136796a86fdda
SHA5122e987793b1ba6cb11a98580660cfbd46dba76960eeed5a5f3d9be5c3fe179a8207448f1f6c7752fd5a545000eb9da976516bd754302e0e69a4789104782726d6
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5a2d18051f0467b7cd743e489d18cb778
SHA16f43eb1adbcfc806a054b82b1766fdc213e9dd10
SHA25604bebe07b963b75531bba957debadb0575ccbce52b1f7d0e2f666c0bb27af3f9
SHA512b50c4cd60c2b78dca20cd5e58a34f6d172eb37e599ed301594d7f3a7cde6375a6301e46d4af84cf3c39cd5597badf50acfac5bf92ef834f5d80c50bb1cbd8bb6
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD55525342486822cc09a128362f2f41e4c
SHA184d33ec73f2150a3dec9b01ac7c9b51c79133031
SHA256425a6d8ba6c01845abf17357f97ff7894e59ddc8b5a78cd700f21f49f6e10bb6
SHA512ecc0a71477d4526c38546aaea3b13d8f017ea60ce78422f418c07bd17ff8fe448981f2c40b49e48b523f77fede6949c82ceb11c57c1b9e5aab681ebb8671f396
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD55c853dede02e31fe243872eabfe7732f
SHA15af79f1d946bb09454b148795eacde6fc7a47a93
SHA2569e15f6ff0a1bb3cfad97027f7c6ebe4eb99d7a763432533c27b81b6574ff83d7
SHA51255d5a7140a0f2c5a02b348de3859a028f7bd2ea27e5e7563d4815aad2f1b0088a4bd95058e0aece81a89301d6650ac7d3b9d5d766defd12d2203135390586f03
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5b482a886820030024e05b9a718127e5b
SHA19c0aec1acbcacf8ad04816059e9f261b33a7bacd
SHA2569648f3852b4a9944bc16a69724966fb451099f6e1507b65d0a4786dfad878c99
SHA5121fa4870d1da63123027ce3f0ec1d64c056da7e1a2827870a596254a37b8390c79bd4caf8ffa9d37b486720ec4832ef59b8632e0105e69f70c1ebeef7c69bff44
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5ea1c50f99c1ee3ed5dd8f0f7b8183d4b
SHA19cce273401da24dbea685c1c719aa4fb974f8ae7
SHA256b0f7c5a34dd2ed5c9fbd56b590905bd4b8e1512f51d86eb03ba471256c83ff15
SHA512c797a16257ac0efdf8000d80f35fd66d7e4b75d1c4006b4d68b78b0f77d740a61e1d0366511218fea0c0b134505475d2094ea367cf80e38f5d1844747919beb0
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD52127564631c6c6e2daac6df274bf15df
SHA140c9710c98e0ca9bc4be59f0354d8049d1245389
SHA2563a4f2c0c6b654607acd1d05eb9a0cb1f7692dc69fea39cd35c413178fa362d8f
SHA5128c0208fb5121ca98093acd919d7b7e442eacb1187f574df68499d763ee76353434bed4654b497e0015b20e34563147d5cf092ce20b6f891f42d97aad6af8a1d1
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5e3e28d53dd984326d0709abcd2aebebb
SHA166bca500f154edd6b97313f469e2555811baf1df
SHA256d6e7c68e6bad7b1c7daebfed6c573d0260c911a166d8e62ff014878a5d1b2b9b
SHA512d4623bc6d820f0ce5aef3081ef646746af60b49c24e5077ec714dd76984b550d0d4deb5ff88b03b2bfb79e0d0898dc5a65eabdc643eeeedc5123f83b3c009ab6
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD544b970f405aa77b3b78ad861648112b6
SHA116ee6b26afdb807246bd53b4cb62dd373ce539ec
SHA256eddf2045216a4057d4da872aea42924f35145342960f7322394cb0c6c5cc4dce
SHA512a47ac42daa69c559f17ef69c5e446adaee9caf12e998ac1feb7a7775d287d804a08721bb4e62f8f4ac9a16126a0abc13dfefaa737c3d5e3f61f509a59a22c922
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5210ea3c7c95db3c810d5736d85c503c5
SHA14b91e8e37bf3bb98f669103035d29c9869edbcd0
SHA2566ff585357db8f3221860020b445bc19fb19bdf2090105a125ac7a98f087e99f2
SHA5123955beec9d56571787f146d23f3f1663459ba788e245bd832e85dd89609be47a3511c56d76e7556b5735be190c14764193b085c8b47bb690fff151a404d0e1c1
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5c350963d6c4f535ecd978a544c4d2db3
SHA19d2e290c8338e2e251966d5934a0a471259791df
SHA25685c331f73bb3e66b28972caf46c57f4f020173c56b648c7dee5bf7ea9d625108
SHA512fc9ba4a53dd6b1c726d96985ebf136e736777095ec71ff12e8122aef4a0712536f62bbce7378c51770b3ac64e178f8abc25f15359adee8d35ac1958c4a648745
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD525f074131d29e563dd387fc6033aa2b7
SHA169714a53fa1ec7f688deb276180aabb17d6a44c3
SHA2563daba0f869f1a3c9e9ddeb2786fc1fe2a0b19ce20e792c8d7c19000e9d8f00e0
SHA512d0d1410127dd40c4404b183c982763c85a39c6341b96aa36d3b08207a7c934a86df697e216cf26fb327cf1f27d9bff59dc0d20d22b54d4a61a2dcb44991c897e
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD53220c2456bd6fb19e93ec3fb3dd69803
SHA1b1ee1c385715f858e042a99c6119f3adc6e05d8f
SHA256fb8707d9ef913b45965ca72ad6ee551efc9257d5427fe0cb9f9f39381e2b83d5
SHA5124a5e21dafdddf64312a953b8eb6d0b894e81cf3723c958756c6cf42d9faf00448021b23ebbdbff462c0305c37e3e9aa530c3df5cd0b7e1857ce19b9cae33fca9
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5aea89d53ee131637f6c200220721ba68
SHA1a283aaf8736fe9e3fe9d04a3f0b2f1bfe6587792
SHA2560bb01da8881fcd770a8c2f95cd1cdede636187dbd0a3544b54e5bf3b2d362cd1
SHA5127858752359e5895c57d82002a0d3f1cc09bdbd7e8ef0b1365aa45c6974baa54bf930b22f2f124621d9a7c7d2a48d103bbacbd52d0f0b04c8acd7e26543302c07
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD57bb150ff0d1889b423aaf2ca45cb1478
SHA130086d0884bd6ec1905ad0454a9b0bda866e7a63
SHA2569f528a9d8b2cd41a2c201fac2931851b834c3d287dd8281fb7e8d173b7dd964e
SHA5124348e34a942c3aba6903be70034f41d5c534f207dae78db51f542ae5418a40ab4e20b719f55a8b1ba15987e2e0f5ea12eb64ee7e760df369ef0f42b658e489c8
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5a881a411d67014c1df9d601b9eca56dd
SHA1cdaaba1836877af0e6cb7be544d0c7e5ecd0e93b
SHA256b44730c8c0f95124878523a2f972df90f8c872a8e40bf19c02bd38a7be9fb372
SHA512a21739193c337890ff68e93311b39c0cba1000b3372e55d6a10e50274f096d525b3b2dd4977798501c1a51005735ac467d5efeb5b000a3013f380c3b48a6cf31
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD561174b8c52739b81126a7f1d8aee366f
SHA10af1b5f011ce9fc77779549882028b88866848e3
SHA2564b8e47070b02d9601d0656447febb5c03b935e0ac844dd687667e64ccb3f6644
SHA51296c05dd9464e0ee8706193d0e952181260b868240c50967a3b2bf43cf4fbab16e52224877024de7f59318b97202d4d41ed61423f7f16760f41d3a0d01516bb9d
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5661a05d253a676b0d34e51cba9eedfaf
SHA1d818844a8fabd15ba3a860556bfcb8a3e8089ca4
SHA2568275701d65512d15e1ce378e9abab84199f321e778248e736e655120b2cec139
SHA512a97d76bc262795cf08d7dc3484d542afb3b1ab6ffb4efb9146807159ac623c63e7bc924b2da2e65af99c1af99f583d24655ebba4dda178dc0bd9e8405a269029
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5a87ee6317b3d781c767df70af6540047
SHA1533ee3c7eca19bbbd69c1449ec42f7b37ed0a960
SHA2565abaa2c2f5acd62e8accb93c6741387099d6a39048100054b1d72d0361888010
SHA5123f2b70c710d6646a97293c7d373997e39f646eba9c7192b5467e5bf8407685ae746c4eca419fb39a6500ac0e44f46d39ee6f4ddb5489417bfc4964aa786ac158
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD54e1a8bf22a4858a6f39043f5aabf1fac
SHA18e64779e1dbc5ffa61008d0a349da8af23e9201d
SHA2561d17e0e927be4debd1970f1747eed86b795d669ae8abe00e76084186a331c769
SHA5127a581e3144f8dd086edba69dca1c0e5ea78b96555599faeab52a862af168aafa94e09784b9683f99c0dbbf9cad46d062653dee56c7678aca93a5d2ed8b9109c9
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82